Hi Tempo Team,
tl;dr; If not implemented as 3LO app TEMPO can not access non-public data from Jira API
we recently migrated to Jira cloud and implemented our user management via Atlassian Access using our AzureAD. In a ticket I opened with TEMPO support (https://tempo-io.atlassian.net/servicedesk/customer/portal/6/TCS-39357) I learned that you are using the public Jira API to get user information in user picklists etc. This means all attributes TEMPO needs, have to be public. This is an information security issue (also GDPR relevant) for us as we would make all our employees email and display name publicly available in order to use TEMPO properly. There are multiple attack vectors for misues of this information.
I checked with the Atlassian support and they told me that TEMPO could be implemented as a 3LO app, which would make it possible to access also the non-public data: https://developer.atlassian.com/cloud/confluence/security-overview/#:~:text=OAuth%202.0%20%283LO%29%20is%20a%20token-based%20method%20for,to%20provide%20consent%20to%20access%20to%20their%20data.
Please implement it so we can "unpublish" our users data.
Best regards,
Sven
Tempo Products | Tempo Timesheets |
Tempo Platform | Cloud |