Community
Q&A
Jira Service Management
Questions
Need way to restrict “Change access” so only org admins can use it (team‑managed & JSM)

Need way to restrict “Change access” so only org admins can use it (team‑managed & JSM)

I’m trying to enforce a strict access control model in my Jira Cloud site

Only Org Admins (group: org-admins) should be able to change project/space access and permissions.
Other project admins (including test admins / team leads) must not be able to change access.

4 answers

1 accepted

2 votes

Answer accepted

Hello @Vallala Ujwala

in Jira Cloud you can’t really do “project admin, but not allowed to change access”.

In team-managed (and JSM team-managed service projects), the Administrator role is basically “you can configure the project”, and that includes Change access. There’s no separate switch to lock that down only to org admins while still letting team leads be project admins.

So your real options are:

Governance option: only put your org-admins in the team-managed Administrator role. Everyone else gets lower roles.

Strict control option: use company-managed projects for anything that needs centralized permission control.

And as a preventive measure: limit who can create team-managed projects, otherwise new “locally controlled” projects will keep popping up.

Short version: team-managed is designed for local autonomy. If you need “only org admins can change access”, you either remove admin from others or go company-managed for governed projects.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

5 votes

@Vallala Ujwala -

I believe you need to ensure each project's "Administrator" role is only assigned to org admin (JSM project) + Project's Permission Scheme - Administer projects right is only granted to org admin.

For Team Managed project type project, by enforcing the what you wanted, it defeats the purpose of having Team Managed projects to be utilized in your site.

By default - project's Administrators role members manages the space access and permissions given to the his/her project users.

Hope this helps.

Best, Joseph Chung Yin

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

3 votes

Hi @Vallala Ujwala

@Joseph Chung Yin and @Arkadiusz Wroblewski are both right here.

But if you are on a Free subscription of Atlassian, there are nog permission configurations possible, as this can only be achieved on paid subscriptions.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Thats true.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like • Marc -Devoteam- likes this

1 vote

Is it possible to restrict other admins and allow only org admin to change the channel access for JSM company managed projects Screenshot 2026-03-01 155651.png

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

please help me here

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hello and good Sunday @Vallala Ujwala

Yep but sadly not in the way you want.

In JSM company-managed, Channel access is part of project configuration. So if someone is a Project Admin on that project, they can change it. Cloud doesn’t give you a separate permission like “can admin the project, but can’t touch channel/customer access”.

So the only way to enforce “only org admins can change this” is governance:

keep Project Admin limited to your platform/org-admin group

don’t give Administer projects to team leads/test admins

and remember: anyone with global Jira Admin can override anyway

So the lever isn’t a setting, it’s who you allow to be Project Admin.

It’s less elegant than we’d like, but that’s how the permission model is designed today.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

@Arkadiusz Wroblewski Is it possible to make a field read-only using a script?
For example, in DC, we can write a fragment based on user groups and make a class or ID read-only. Is something similar possible in cloud If so, could you please suggest how it can be implemented?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

@Vallala Ujwala

here Cloud is very different than DC.

In Jira Cloud you can’t do the old Data Center trick with ScriptRunner fragments (injecting JS/HTML, targeting IDs/classes, making fields read-only on the fly). Cloud simply doesn’t allow that kind of UI manipulation.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Can something possible with respect to admin permission/ any workaround
Note: Admin should be able to see components

or is it cannot be achieved in any way please confirm

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Forums

Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

Need way to restrict “Change access” so only org admins can use it (team‑managed & JSM)

4 answers

1 accepted

Suggest an answer

Was this helpful?

Thanks!

TAGS

Atlassian Community Events