Tempo "View Team Worklogs" option affects other teams

I understand how this is currently implemented and behaving, so I think my question is more of a "is this actually intended behaviour"?

For data protection/compliance reasons we want don't want to give users the ability to see the summary of what people are working on in projects that they do not have some kind of management role (Scrum Master, Product Owner) and do not need that information. If this is actually intended behaviour then I don't see how we can implement such a need-to-know policy.

We first noticed this behaviour because we were doing internal trainings for our Scrum Masters, putting them all in a Sandbox Project and giving them full access to Tempo team and account management, but then noticed that they are now able to see all the work that their training peers are doing, which was very much not intended.

Now we are looking at how what we want to do can be achived without using the teams feature.

Accounts would be nice but permission management in accounts is a problem because there is no dedicated view permission for multiple users and groups.

Using the report feature and giving every team a dedicated report (which counts against the "View all worklogs" project permission as far as I understand) would kind of work but we can't share saved reports (outside sharing custo URLs) to make this intuitive.

If the way it is now is really intended behaviour then I would appreciate some pointers how one could do a need-to-know approach to people being able to view the timesheets of other people.

Tempo has another project permission - view issue hours that grants project users to only view logged hours, but not the worklog details. These users should not be part of Tempo Teams. Even if they are in a Team, they should not be a team lead or have view worklogs permission to view others worklogs. Is this what you are looking for?

That (and the Administer Projects permission I just found through your link) sound perfect for what we want to do, but these seem to only be available in Tempo Cloud and not for our Data Center version, is this correct?

I could not find it here: https://tempo-io.atlassian.net/wiki/spaces/THC/pages/437519635/Project+Permissions+-+Tempo+Server

Yes, this feature - view issue hours is only available on Cloud. Sorry I forgot you are using Server/Data Center.

On server/DC, without view worklog team permission or view all worklogs project permission, you will not be able to see others' logged hours in the Tempo reports. You can only see the total hours in Jira issue view (in the side panel) without seeing the collaborators.

Sorry, I think I'm not understanding your reply or something.

My problem is that if I have "View team worklogs" permission in my team I can see their worklogs in Tempo Reports, even if they also work in other teams. This in my opionion violates a need-to-know / segragation of duty approach because I can now see what the other team members are doing their whole day (given I have at least view rights on the projects) instead of only being able to see what my team member are doing in the project I am responsible for.

Also, fyi: If I have neither "view team worklogs" team permission nor "view all worklogs" project permission I'm still able to see collaborators on the actual Jira tickets. I think this is what the "view issue hours" cloud permission that you mentioned would limit if we had in on DC.

If you have the browse project permission for a project and one of your team members logged time against it for a different team, you, as team lead, will be able to see these worklogs even if it's not for your team.

I can see your point for need-to-know on the team members' worklogs. This is currently not possible to achieve with Team permissions, because Tempo worklogs are linked directly to users and are not identifiable by Teams.

I have put in an idea to add "view issue hours" feature on Server/DC, and another idea to have "worklogs identified by Teams". If you think this will meet your business requirements, please feel free to vote on them.

Regarding the collaborators, if you don't have those 2 worklogs permissions and still be able to view collaborators in Jira issue view, this is an unintended behaviour. Can you please open a support ticket for further investigation?

Hi Susan Wu!

We need to give a permission to Tempo Team Lead to see all the worklogs of the team members regardless of which projects these team members have worked on (even when the Lead has no access to the project). In accordance to your description that is "View team worklogs" permission. 

Where I can find it? We have JIRA Cloud&Tempo.

Thanks in advance!

Hi @Leonid Klimovich ,

Without Browse Project permission on the projects, you will only see the team member's worklog hours, but not the worklog details. Of course, this only works if team leads are just approving the total hours worked per week/month, but they don't need to know the details on what has been done by each team member.

If the team leads need to see the worklog details, they will need to have Browse Project permission for all the projects, but they don't need to have view all worklogs permission in the projects. This will allow team leads to view only the worklogs of their team members.

For example, Scott/Rick/Daniel are Tempo Team leads and they can only see worklogs of the own team members, if they don't have view all worklogs permissions in the projects. In Tempo, if you cannot view the worklogs, you will not be able to edit/manage them.

BR,

Susan Wu

Tempo Product Expert