View only own issues - Issue Security scheme set

Hi @Trudy Claspill

Thanks for getting back to me. 

They are only allowed to use the customer portal. 
Within the customer portal we want to arrange this access where they are only able to view their own issues, and not the whole organization's issues. 

The Security Scheme is applied to our two most popular projects to see whether this worked. 
It seems to be that the Security Scheme is affecting the Project itself instead of the Customer Portal. 
Could that be the case? 

It seems that whenever I only added the Reporter and Assignee to the SS, I was unable to view certain issues (2 out of the 12). 
I was still able to view other issues where I was NOT either Reporter or Assignee. 
This was also raising some concern. 

The customer is not listed as Request Participant as that was also not an option within the Security levels. Ofcourse, there is a possibility to create a custom field for that.


Do you need more information? 


Kind regards,
Ruud Hoogeveen

I believe (but have not fully tested) that the Security Schemes apply only to licensed Jira users and Jira Service Management agents/team members who are viewing the issues through the Jira UI. I don't believe that the Security Schemes apply when issues are viewed through the Service Management portal.

For people who are only Customers of your service management project and only using the Portal to view issues, the issues they can view should be governed by:

1. They are the Reporter

2. They are an explicit Request Participant

3. The settings that govern if a Customer in an Organization can see all the issues associated with their Organization.

When you say "I was still able to view...", were you using an identity that is a licensed Jira Service Management user with the Service Desk Team Member role? Were you viewing the issues through the Portal or directly in Jira? How were you finding the issues that you were trying to view.

This article may help you understand the application of the Permission Scheme in Service Management projects.

https://support.atlassian.com/jira-cloud-administration/docs/customize-jira-service-management-permissions/

And this is the home page for information about Customer permissions:

https://support.atlassian.com/jira-service-management-cloud/docs/customer-permissions-for-your-service-project-and-jira-site/

Hi Trudy, 

I do agree and noticed that the Security Scheme apply to the Jira UI. 
I have checked and tested to change several levels of security to the issues and saw several issues dissapear within the UI.

I'm the most interested in point 3. As it seems now, we have one organization with every customer in it who has registered through our customer portal. They are able to view every issue within our organization.

We are not planning to create more organizations as that would result into an organization for every single customer we have. 
We could also create a organization for each team but that's still not ideal. 


When I was still able to view, I was indeed a licensed Jira SM user/admin with the Org admin permissions (I assume I should be able to view everything, at any time).




As soon as I added (besides Current Assignee and Reporter) a group I was in, I was able to view the two extra issues we had in our project. 
However, out of the nine other issues we had, I was only assigned or reported two or three issues. 
So I expect that with only Current Assignee and Reporter added to the Security Levels, I was only able to view those three issues. But I could see nine. Even thought I had no association with those issues. 


Unfortunately, those articles about Customer permissions seems to be about creating accounts, mostly. 
I will look into it further, but I'm not sure if I will find more. 

Kind regards,
Ruud Hoogeveen

Based on my testing, if a customer is a member of an Organization then they will have the option to share their ticket with the Organization. They will see the Share With option when opening their issue through the Portal.

With the global option set to not automatically share issues with the Organization the field will initially show Share With No One.

However the customer can change that to share with the Organization.

The only way you can prevent a Customer from sharing their ticket with their Organization is to remove them from the Organization.

The other possibility is that there is an Automation Rule that is automatically setting the Organization field in every issue.

Regarding your ability to see issues where an Issue Security Level has been applied, such issues should be visible only to the people specified within the Issue Security Level configuration for the level applied to the issue. If you are not within that configuration, you should not be able to see the issue. This does mean that issues can be made not visible to Jira Admins and Organization Admins.

A Jira Admin could circumvent this with their ability to modify the Issue Security Level configuration and add themselves to the configuration.

Note that the Security Level field must actually be set on each issue in order to limit the issue's visibility. If no Security Level has been set for an issue, then it is visible to anybody who has the Browse Projects permission for that project.

Hi Trudy,

We do have automatically set that the standard of sharing will be with no one, and we do see that back when creating an issue. 
However, we have the option to let customers mail to us which will automatically create an issue but they do not have an option there to set the sharing to no one. 

I have tested it myself when creating a ticket which is shared by no one, the administrators were able to see the ticket in the customer portal, but a regular customer could not see it. 
So this test was succesfull. 

I think I know how to set this up correctly now (if it isn't already done so) but the customers need to file in the issue correctly if they want the issue to be hidden. 

Thanks for all the help! 

Kind regards,
Ruud Hoogeveen