Based on your authentication vs data residency examples, here’s a comprehensive approach that handles both scenarios effectively.
Core Principle: Use a Canonical Requirement Per Business Behavior
Create one requirement issue that captures the business need independent of environment. This is your source of truth for what the system must accomplish, not how it accomplishes it. Your requirement title should describe the capability, not the implementation: “Users must authenticate securely” rather than “Implement LDAP authentication.”
Modeling Environment Applicability in Custom Fields
For requirements where implementation varies but acceptance criteria are similar:
-
Add Environment Scope Field (Multi-Select)
- Values: On-Premises, Cloud, Hybrid
- Required field that forces explicit environment applicability
- Visible on requirement cards and in JQL queries
-
Add Implementation Variance Field (Single Select)
- Values: Identical, Minor Variance, Major Variance
- Helps determine if child issues are needed
- Filters requirements needing deeper environment-specific analysis
-
Add Environment Implementation Notes (Text Area)
On-Premises Implementation:
- LDAP integration with Active Directory
- Local credential storage
- Session timeout: 30 minutes
Cloud Implementation:
- SSO via OAuth 2.0 (Okta)
- Token-based authentication
- Session timeout: 60 minutes
This approach works well for your authentication example where the business requirement (secure authentication) is the same, but technical implementation differs. Test cases can link to the parent requirement and use environment-specific test data or configurations.
Using Child Issues for Truly Divergent Environment Behavior
When acceptance criteria, testing approach, or technical architecture fundamentally differs (like your data residency example), create child issues:
Parent Requirement: “Customer data must comply with geographic residency regulations”
- Environment Scope: On-Premises, Cloud
- Implementation Variance: Major Variance
- Status: Drives overall completion based on child completion
Child Issue 1: “On-Premises: Data residency via physical server location controls”
- Acceptance Criteria:
- Servers physically located in customer-specified region
- Network traffic restricted to regional data center
- Backup storage within same geographic boundary
- Test Cases: Physical audit procedures, network trace validation
Child Issue 2: “Cloud: Data residency via AWS region selection and sovereignty settings”
- Acceptance Criteria:
- AWS region configured per customer contract
- S3 bucket region lock enabled
- Cross-region replication disabled
- CloudTrail logging for data access audit
- Test Cases: AWS configuration validation, API-based region verification
The children have completely different acceptance criteria, testing approaches, and technical implementations. They’re genuinely separate requirements from a development and QA perspective, but logically grouped under the business need.
Traceability Matrix Impact
With this hybrid approach, your traceability becomes:
- User Story → Parent Requirement → Child Requirements (if needed) → Test Cases
- Test cases link to the most specific requirement level (parent for minor variance, child for major variance)
- JQL queries can roll up coverage: “Show me all requirements with Cloud environment scope and their test coverage”
- Reports show parent requirement status as aggregate of children when children exist
Decision Criteria for Your Team
Use Custom Fields Only when:
- Business logic and acceptance criteria are essentially the same
- Testing approach is similar (same test cases, different test data)
- Implementation notes can adequately capture differences
- Development work happens in the same codebase/branch
- Examples: Authentication methods, UI theme variations, regional date formats
Use Child Issues when:
- Acceptance criteria differ substantially
- Testing requires different test cases or testing tools
- Development happens in separate code modules or branches
- Separate technical reviews or approvals needed
- Examples: Data residency, compliance certifications, infrastructure requirements
Workflow Integration
Add a workflow validator that checks:
- If “Implementation Variance” = “Major Variance”, require at least one child issue per environment in “Environment Scope”
- If no child issues exist, require “Environment Implementation Notes” to be populated
- This enforces your standard and prevents incomplete requirement specifications
Practical Example for Your Authentication Requirement
Since authentication is conceptually the same (verify user identity and establish session), use the custom field approach:
REQ-101: “Users must authenticate securely before accessing the application”
-
Environment Scope: On-Premises, Cloud
-
Implementation Variance: Minor Variance
-
Environment Implementation Notes:
On-Premises: LDAP integration
Cloud: SSO via OAuth 2.0
Both: Multi-factor authentication optional, session management per security policy
-
Test Cases: TC-AUTH-001 (LDAP login flow), TC-AUTH-002 (SSO login flow), TC-AUTH-003 (Session timeout)
The test cases reference the same requirement but have environment-specific test data in their configurations. Your traceability matrix shows one requirement with multiple test cases, clearly indicating which tests apply to which environments via labels or test case custom fields.
This approach eliminates your REQ-101/REQ-102 duplication while maintaining clear traceability and supporting both simple and complex environment variations.