What is a Agent vs. a User

OK, thanks for the reply but this is still not clear.  I have a license that allows 3 agents.  I have assigned the built-in roles to MS AD groups as follows:

Group                                                   Role                                                       AD Group

Jira-administrators                          Administrators                                  jira-administrators

Jira-servicedesk-team                    Service Desk Team                           Jira-servicedesk-team

Jira-servicedesk-users                    Service Desk Customers                Jira-servicedesk-users

Through AD I have identified 2 Users in the jira-administrators group, 2 users in the Jira-servicedesk-team group and only 1 in the Jira-servicedesk-users group, but I keep getting a message that says my user license limit has exceeded the allocated 3 agents.  It is counting all 5 of the users as agents where as I thought only the member in Jira-servicedesk-team would be counted as agents.   I have about 100 users that will log in to create, update and status issues.  I have 2-3 servicedesk-team members that will be addressing these issues.  I was told that users did not require a license and only agents, IE servicedesk-team members, required a license.  What am I missing here?   Are non-licensed users only able to access SD via the portal or can they also access the dashboard?

Tks

This is how licenses are applied in system and how to manage it

Go to Application -> Application Access

There you will see, which groups are used to apply licenses. Basically, if you put user in any of groups listed here, he will counted toward used licenses count. Usually, you will find that also jira-administrators group counts as application acces group and that you administrators are thus taking licenses even they are not in jira-servicedesk-team group.

Basically everything in Jira is customizable - leave in Appliccation Acces only that group, you want to leave access for (jira-servicedesk-team). You admin will have access to administration, but if he does not have jira-servicedesk-team group, he will have no access to data at all (only configuration).

Thats how you can easily manage basic system permissions:

jira-servicedesk-users (does not count toward licenses, can access only portal)

jira-servicedesk-team (count towards licenses, bascially these are agents, further access to projects are made on project level)

jira-adminsitrators (does not count toward licenses, can only access portal and system administration)

If you want combine them, you can. Magic is that each group only does what is meant to.

Your other questions:

If you have only Jira Service Desk installed, the only one who will be able to log in directly to Jira (not to the portal), are agents (jira-servicedesk-team). Those will be able to transition issue, log work and type internal/customer comments. Rest of your users can be in jira-servicedesk-users and if you assign group jira-servicedesk-users to a role to grant it permission to access portal, they will be able to access service desk portal. Users can then create predefined requests there. Customers portal is very basic view of Jira issues. As customer, you can only create, comment, do some specific transitions (in workflow you can enable certain transitions to be available to the customers), and do some basic filtering on your requests. There are no dashboards, further searching or anything else and these users are limited to the portal only. These dont take any licenses.

So it really depends on what you want to allow rest of the 100 users to do. If portal is enough for them, let them work with portal and then you dont need any licenses for them. Also, portal can be extended with plugins and plugins are not that costly if you have Jira SD instance with 3 agents. If you will need to let them directly into Jira but dont need all the functionality as agents have probably best option is to implement Jira Core too. Jira core users will have access to Jira directly, can view dashboards etc. They will just have limited functionality which belongs to agents (So no comments visible to portal, no transitioning of issues in SD projects, no loggin work in these projects etc. - basically only view and internal comment). This option is here due to frequent request on coordination with L2 or L3 support, who does not need to be agent to view the issue and add internal comments. On the contrary, agents have full access to Jira core functionality once installed (even without core licenses), so they can create tickets in core projects if they need to further cooperate with anyone using core license.

Let me know if you are still lost in it. Once you get in, it is pretty straightforward.

This is a very good explanation, thank you.  The remaining problem is that I can't seem to remove the jira service desk application from the jira-servicedesk-users group.   It is grayed out and will not allow me to remove access to the application for those users.   It this set somewhere else or does the group need to be empty to remove?

Tks

I am finding out this is anything but straight forward.  The jira-servicedesk-users group seems to tied to the default application access policy and there is no obvious way to change that.  As a result once I integrate Jira authentication in Windows AD and add jira-servicedesk-users I exceed my licenses.  Do I need to create another AD group for my users?  

@John 

I understand that it might seems pretty non logical here, but its just all the safety mechanism to not make anything fail inside Jira. :-)

Thing is that Jira has to have at least one default group for each application, simply select default for jira-servicedesk-team and you will be able to remove jira-servicedesk-users from this list.

.