Anonymous users are able to browse JIRA user base via REST API
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Problem
Using any working REST endpoint as in JRASERVER-29069, anonymous users are able to retrieve the entire JIRA user base (without logging in JIRA).
Diagnosis
JIRA does not allow Anonymous access. Anonymous users are required to log in before they can view projects and issues.
Cause
Browse Users global permission is granted to Anyone.
Solution
Resolution
If JIRA does not allow Anonymous access, it's not recommended to grant Browse Users global permission to Anyone. Dismissing Anyone from the permission will resolve the issue.
Was this helpful?