JIRA: Deny Sensitive Project Search and View
Keeps issues that belong to a configurable set of "sensitive" JIRA projects out of read access through the JIRA MCP server.
Keeps issues that belong to a configurable set of "sensitive" JIRA projects out of read access through the JIRA MCP server.
Blocks write operations against issues that belong to a configurable set of "sensitive" JIRA projects.
Reusable DTwo policies for Atlassian JIRA MCP servers (the Atlassian-hosted JIRA MCP server and compatible implementations).
| Policy | Direction | Purpose |
|---|---|---|
| redact-sensitive-info | egress | Redact PII, credentials, and secrets from JIRA issue-view responses (issues, JQL search, comments, worklogs, remote links). Transform-only — never denies. |
| deny-view-search-sensitive-projects | ingress | Deny direct views and explicit JQL searches of sensitive projects; silently filter generic searches to exclude them. |
| deny-write-sensitive-projects | ingress | Deny write operations (edit/transition/comment/create/move/link, etc.) on issues in sensitive projects. |
DTwo prefixes tool names with the MCP server name configured on the gateway. A JIRA MCP server registered as atlassian-jira-mcp will surface tools like atlassian-jira-mcp-getjiraissue, while one registered as atlassian will surface atlassian-getjiraissue. The policies in this directory match on the suffix (-getjiraissue, -searchjiraissuesusingjql, etc.) so they stay portable across naming conventions — but you should always confirm the exact tool name your gateway sends using the dump-input debug technique before deploying.
These policies do not require any specific IdP claims. If you want identity-based exemptions (e.g., a break-glass role that can read unredacted content), gate the relevant rule with object.get(input.subject.claims, "<claim>", "<default>").
To add a JIRA policy:
apps/jira/<policy-slug>/ with policy.md and a tests.yaml test file.apps: ["jira"] in the policy frontmatter, plus any industry / bundle slugs that apply.bundles/atlassian), link to it from the matching landing page.pnpm manifest from the repo root.See CONTRIBUTING.md for the full process.