Tempo Ideas

Welcome to Tempo’s Idea Portal! Your suggestions are valuable to us and help us make our products even better.
Below is a list of ideas for Tempo, so please search, review and vote for those that would help you the most. We encourage you to add an idea if you don’t see it listed. You can stay updated on the work we are doing here at Tempo by contributing to this page.
To learn more and see our Frequently Asked Questions, click here.

Implement Tempo cloud as 3LO app to minimize the use of the public Jira API

Hi Tempo Team,


tl;dr; If not implemented as 3LO app TEMPO can not access non-public data from Jira API

we recently migrated to Jira cloud and implemented our user management via Atlassian Access using our AzureAD. In a ticket I opened with TEMPO support (https://tempo-io.atlassian.net/servicedesk/customer/portal/6/TCS-39357) I learned that you are using the public Jira API to get user information in user picklists etc. This means all attributes TEMPO needs, have to be public. This is an information security issue (also GDPR relevant) for us as we would make all our employees email and display name publicly available in order to use TEMPO properly. There are multiple attack vectors for misues of this information.

I checked with the Atlassian support and they told me that TEMPO could be implemented as a 3LO app, which would make it possible to access also the non-public data: https://developer.atlassian.com/cloud/confluence/security-overview/#:~:text=OAuth%202.0%20%283LO%29%20is%20a%20token-based%20method%20for,to%20provide%20consent%20to%20access%20to%20their%20data.


Please implement it so we can "unpublish" our users data.


Best regards,


Sven

  • Sven Rütz
  • Aug 18 2022
Tempo Products Tempo Timesheets
Tempo Platform Cloud
  • Attach files