Disable implicit connector visibility for administrators (experimental)By default, administrators can always edit, see and use all connectors, whereas visibility and usage of connectors in the 'AWS Resources' menu, the connector selection widget, and via the REST API is scoped to the selected groups for all non administrators to allow the delegation of temporary AWS credentials retrieval. While this behavior properly reflects the security barriers in the Atlassian Server universe (where administrators are generally able to get access to all data one way or another), it turns out to be a usability flaw for scenarios where many users have been granted administrative rights to overcome insufficient permission granularity in the host product (e.g. Bamboo before the permission changes introduced in release 6.2) - as a preliminary workaround, this feature flag allows to change the default behavior as follows: by default, members of the administrator group (e.g. bamboo-admin) will not be able to see and use any connectors via the REST API or dependent resources like the 'AWS Resources' menu and the connector selection widgets anymore, except if explicitly being granted access by including the resp. group within the Groups selection regardless, members of the administrator group (e.g. bamboo-admin) will still be able to edit all connectors via the configuration screen
Note |
---|
No security barrierThis change mostly comprises a usability improvement, but not an impenetrable security barrier, because administrators can still grant themselves access to connectors at any time simply by adjusting the connector to group associations or their own group membership etc.! |
Refer to https://utoolity.atlassian.net/browse/UAA-298 for more details regarding the relation of this preliminary workaround to more far reaching possible changes to Identity Federation for AWS permission granularity in future release. |