Security
Calendar Sync for Jira does not update any data in Jira, it is a read-only exporter. See below for more information depending on your hosting environment.
Jira access rights (Jira Cloud)
During the installation, Jira will create an artificial "user" representing the add-on in the system. The user is called "Calendar Sync" and is visible in User Management like a regular user account (but it does not count toward the user limit). The addon will use this account to read data from Jira and generate calendar feeds. You can adjust the permissions of that user to narrow down what the addon can see.
To implement role-based access control, project administrator permissions are required. While these permissions are not used for modifications, they are essential due to limitations within the Jira API that necessitate the determination of user role assignments.
To manage what the add-on can access, you need to adjust the permissions for the aforementioned user. If your Jira is set up to grant new users access to certain information, it is crucial to configure these permissions prior to using Calendar Sync for Jira. Failing to do so may result in the add-on being unable to execute queries, leading to fewer issues being displayed than anticipated or even errors related to insufficient project or issue visibility.
Calendar Sync conducts queries based on the configurations defined in the feed settings at regular intervals. Some data is stored externally on Expium servers, but only to the extent that it has been configured to be included in the calendars.
Jira access rights (Jira Server)
For Jira Server (on-premise), Calendar Sync executes all queries using the access rights of the user who created the feed. There is no separate "user" account generated for the add-on.
Calendar Sync ensures that no information is transmitted or stored outside of Jira. All data remains within the same database as Jira, managed through the Atlassian persistence framework.
The application features an error reporting functionality that notifies Expium in the event of critical errors. These reports are designed to exclude any sensitive data, containing only technical details about the error itself. This process is essential for maintaining a reliable user experience. If you prefer to opt out of this feature, it can be easily disabled from the configuration screen.
User authorization
Once a feed is created, all users who are configured to see it will be able to access the calendars with all events. Calendar Sync supports the flexible configuration of user access rights by group, project role, or Jira user fields on issues. See Configuration for more information on adjusting user rights for the feeds.
Calendar data security
Calendar Sync for Jira exposes the calendars with URL addresses which do not require any authentication. It is required in order for calendar applications to be able to obtain the data, as most such applications do not support authentication.
While knowing the URL is all that is necessary to obtain feed data, the address is impossible to guess, even for existing users of the add-on. At the same time all communication is encrypted with HTTPS, keeping the URL as well as the data safe from eavesdropping.