Add global option "Enable group <anyone>"

2014-09-11T17:28:58
ID ATLASSIAN:JRASERVER-39912
Type atlassian
Reporter remi.saias
Modified 2018-02-08T06:32:15

Description

{panel:bgColor=#e7f4fa} NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? [See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-39912]. {panel}

As mentioned in JRA-18076 and JRA-23255, the predefined group anyone poses security risks in many cases as it exposes projects to unauthenticated users.

I tend to think that in 90% of Jira instances that group has no use and is just a security risk dangling over our heads.

I would suggest an option to enable that group so it is not possible to share a filter or give a permission to anyone unless the group is enabled through that new option.

By default, it should be disabled. This way, administrators who knowingly want to allow anonymous access would need to change the setting, and maybe read some warning (see JRA-18076)