Versions Compared

Old Version 44

changes.mady.by.user Mike Harrison

Saved on

compared with

New Version Current

changes.mady.by.user Kyle McEwan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Name

SU for

JIRA

Author(s)

Andy Brook [Plugin People] (Unlicensed)

Jira

Homepage

this page

Price

Commercial

Compatibility

JIRA 5 or newer

Jira Core, Software and Service Management

Marketplace

SU for

JIRA

Jira

IssueTracking

JIRA

 

Table of Contents

 

...

titleDual Marketplace/Vendor licensing

Dual licensing means SU for JIRA can be:
a) Licensed with Marketplace license
b) Licensed with Vendor licenses

Dual licensing does not mean SU Vendor licenses are compatible with marketplace, can be installed in marketplace or otherwise used anywhere except the Vendor license screen, as they are by definition Vendor licenses.

...

Issues

Support System


Table of Contents

What is SU?

Excerpt

As a JIRA Jira administrator you get users saying 'I cant do xyz', or you have conversations like 'you should see xyz' and the phone says 'no I cant'. You need to be your user to ensure clarity of instructions, and to spot/resolve other kinds of problems. Without giving passwords away, how do you do that? Well, you use this plugin. This plugin enables system administrators to become another user (to 'su' in Linux speak), enable setup, testing etc

Installation

  1. You can install this plugin via the universal plugin manager!

License install

The Plugins 'configure' link lets you request an EVAL license. Follow the screenshots listed on the plugin page

...

Licensing

Versions above 1.5.x support dual licensing.  This means that:

Marketplace licenses (obtained via the Marketplace) can be installed

...

directly:

...

Keyboard Shortcut

@since JSU 1.5.4

A global keyboard shortcut is available for SU, to see available shortcuts press ?, to trigger the SU prompt, press the combination g (the ^ is shift 6!)+ u, then you will get:

User Prompt

User Selection

Ready to Submit

Image Removed
Image Added

Image Removed
Image Added

Image Removed
Image Added

Controlling Access

@since JSU 1.5.5

(info) Only system admins can configure who can SU, anyone with SU capability cannot SU to a user with system admin capability!

...

The default behaviour is that System admins and JIRA Jira admins are able to SU, access may also be granted to nominated groups (note: probably not a good idea to add jira-users into this!):

Default Access

With specified Group Access

With Delegated Groups enabled

Image Added

Image Added

Image Added

Delegated Groups (Since 1.16.2)

Delegated

...

Image Removed

...

Groups allow system admins to scope a SU ability for nominated group members to manage a target group. This differs from standard SU whereby any authorized user for SU can SU to any user (apart from where a privilege escalation occurs).

The Delegated Groups feature must be enabled before use:

...

When Delegated Groups is disabled, Users within Delegated Groups will not be able to use SU and the System admin wont be able to add, remove or manipulate Delegated Group authorisations, as shown below:

...

When Delegated Groups is enabled, System admins can add a Group to become a Delegated Group and then authorise Users and Groups that the Users within the Delegated Group can SU into.

From the example shown below, all Users within the Jira Group group1 will be able to SU into the Jira User, user2 but nobody else as no other Users or Groups have been authorised.

Note that anybody in group1 can SU into user2 but user2 will not be able to SU into anybody in group1.

...

When a user which is authorised is an inactive user, they will appear with the DEACTIVATED flag, as shown below:

...

SU Notifications (Since 1.17.0)

You are now offered the option to send a notification to the user whos account has been accessed, on entry, exit or both or neither.

The default option is None. Descriptions of the Notification options are below and this is set by your system admin in the Jira SU Configuration.

SU Notification option

None

Entry

Exit

Both

Resulting notification events

The target Jira user will not be notified when an authorised user accesses or exits their account.

The target Jira user will be notified when an authorised user accesses their account but will not be notified when they exit their account.

The target Jira user will not be notified when an authorised user accesses their account but will be notified when they exit their account.

The target Jira user will be notified when an authorised user accesses or exits their account.

...

Currently, there is no way to alter the email that will be sent to the SU target user.

SU-Exit

The SU Exit for JIRA SU is accessed via the toolbar, as shown below:

...

Image Removed

Manual Tweak required (Prior to V 1.4.4)

  1. Modify the file /atlassian-jira/secure/admin/user/views/userbrowser.jsp to get a UI 'SU' link. Find the following (starting around line 182 in JIRA 5.2), the bold section is added to make the SU link visible.

    <td data-cell-type="operations">
    <ul class="operations-list">
    ..

    <li><a id="su_link_<webwork:property value='name'/>" href="<ww:url page='JiraSU.jspa'><ww:param name="'name'" value='name' /></ww:url>">SU</A></li>
    <li><a id="projectroles_link_<ww:property value="name"/>" href="<ww:url page="ViewUserProjectRoles!default.jspa"><ww:param name="'name'" value="name" /><ww:param name="'returnUrl'" value="'UserBrowser.jspa'" /></ww:url>"><ww:text name="'common.words.project.roles'"/></a></li>
    ...
    </ul>
    </td>

Pre-modified files:

For the time challenged, assuming no other customizations, copy the appropriate file to /atlassian-jira/secure/admin/user/views/userbrowser.jsp

The manual approach

Jira 3.x - 4.1.x Add the following beneath it:

Code Block
   | <a id="su_link_<webwork:property value="name"/>" href="<webwork:url page="JiraSU.jspa"><webwork:param name="'name'" value="name" /></webwork:url>">SU</A>

Jira 4.2

Code Block
   | <a id="su_link_<webwork:property value='name'/>" href="<ww:url page='JiraSU.jspa'><ww:param name="'name'" value='name' /></ww:url>">SU</A>

Jira 4.4+ - 6.0

...

Logging

With SU v1.8.3 (Jira 7.10.x), its now also possible to log out SU activity, to track common SU related actions (SU to userX, SU exit, history retention changes, manual purge etc).

Add the following to your JIRA_HOME/WEB-INF/classes/log4j.properties file, it will then append high level actions to the give files. Here, we create su.log specifically to capture this info, but also send a copy to the console and filelog, remove as needed.

Code Block
##==========================================
##
## SU logging
##
log4j.appender.SUFileLog=com.atlassian.jira.logging.JiraHomeAppender
log4j.appender.SUFileLog.File=su.log
log4j.appender.SUFileLog.MaxFileSize=20480KB
log4j.appender.SUFileLog.MaxBackupIndex=5
log4j.appender.SUFileLog.layout=org.apache.log4j.PatternLayout
log4j.appender.SUFileLog.layout.ConversionPattern=%d %t %p [%c{4}] %m%n
log4j.appender.SUFileLog.Threshold=INFO
  
#
# add entries for all SU packages
#
log4j.logger.com.javahollic.jira.jsu=INFO, console, filelog, SUFileLog
log4j.additivity.com.javahollic.jira.jsu=false

Legacy Logging
Status
colourRed
titleBefore 1.13.1

Code Block
##==========================================
##
## SU logging
##
log4j.appender.SUFileLog=com.atlassian.jira.logging.JiraHomeAppender
log4j.appender.SUFileLog.File=su.log
log4j.appender.SUFileLog.MaxFileSize=20480KB
log4j.appender.SUFileLog.MaxBackupIndex=5
log4j.appender.SUFileLog.layout=org.apache.log4j.PatternLayout
log4j.appender.SUFileLog.layout.ConversionPattern=%d %t %p [%c{4}] %m%n
log4j.appender.SUFileLog.Threshold=INFO
  
#
# add entries for all SU packages
#
log4j.logger.com.javahollic.jira.jsu=INFO, console, filelog, SUFileLog
log4j.logger.com.javahollic.jira.web.action=DEBUG, console, filelog, SUFileLog
log4j.additivity.com.javahollic.jira.jsu=false

Jira 9.5.0 and above Log4j2 XML configuration

Status
colourBlue
titleRESTART REQUIRED

Jira 9.5.0 has upgraded the Log4j runtime logging library to version 2. Log4j2 uses XML configuration file format. With the following configuration, Jira will create a su.log file in JIRA_HOME/log.  A Jira restart will be required to make the changes apply.

  1. Go to yourJIRA_INSTALL_DIR/atlassian-jira/WEB-INF/classes/log4j2.xml file

  2. Add the following lines above the closing Appenders tag </Appenders> (around line number 257) :

Code Block
<!--        #####################################################-->
<!--        # SU APPENDER STARTS                                 -->
<!--        #####################################################-->

<JiraHomeAppender name="SUFileLog"
                  fileName="su.log"
                  filePattern="su.log.%i">
    <PatternLayout alwaysWriteExceptions="false">
        <Pattern>
            %d %t %p [%c{4}] %m%n
        </Pattern>
    </PatternLayout>
    <Policies>
        <SizeBasedTriggeringPolicy size="20480KB"/>
    </Policies>
    <DefaultRolloverStrategy fileIndex="min" max="5"/>
</JiraHomeAppender>

<!--        #####################################################-->
<!--        # SU APPENDER ENDS                                   -->
<!--        #####################################################-->

3. Add the following lines above the closing Loggers tag </Loggers> (at the bottom, around line number 839) :

Code Block
<!--        #####################################################-->
<!--        # SU LOGGER REF STARTS                               -->
<!--        #####################################################-->

<Logger name="com.javahollic.jira.jsu" level="DEBUG" additivity="false">
    <AppenderRef ref="SUFileLog"/>
</Logger>

<!--        #####################################################-->
<!--        # SU LOGGER REF ENDS                                 -->
<!--        #####################################################-->

Centrally logging?

After enabling logging, in 1.8.5+ the following will be seen for SU and SU-Exit actions:

Code Block
2018-10-08 14:01:47,710 http-nio-8080-exec-6 INFO [jira.web.action.JiraSUAction] SU Complete, From [user=admin, name=admin] To [user=test, userName=test]
...
2018-10-08 14:02:11,512 http-nio-8080-exec-12 INFO [jira.web.action.JiraSUExitAction] SU EXIT Complete, From [user=test, name=test] BackTo [user=admin, userName=admin]

Usage

Once installed, as a system administrator, go to the User Browser, you will find a SU link in the Operations column. Clicking SU will reset who you are to the given user, and return you to the Dashboard.

Alternate usage (no install needed)

You can also invoke the SU via the following javascript, contributed by ~eisJavaScript:

Code Block
javascript:if(window.location.hostname.search(/jira.+/)==-1){alert(%22Jira%20SU:%20URL%20doesn't%20point%20to%20a%20Jira%20system!%22);}else{void(uid=prompt('Jira%20SU%20('+window.location.hostname+')',''));if(uid){window.location.href=%22https://%22+window.location.hostname+%22/secure/admin/user/JiraSU.jspa?name=%22+uid.toLowerCase();};};

(info) If your Jira isn't deployed to / you will need to update the url URL with the prefix:

Code Block
/PREFIX/secure/admin/user/JiraSU.jspa?name=%22+uid.toLowerCase();};};

Version History

...

TODO

...

reimplement auditing

...

1.3.x

...

?

...

1.3

...

Extend to allow 'exit' back to existing system admin user

...

1.2

...

Auto redirects to Dashboard on successful SU

...

1.1

...

bugfix, make work with /jira type context deployments, required interim 'click here' page to get to the Dashboard, couldn't figure out how to redirect straight there.

...

1.0

...

Initial release

Open Issues

...