How do I make sure people only have access to specific projects?

JIRA permissions

First, by default JIRA has a horrible permission scheme that violates security best practices by allowing everyone that can logon to do just about everything.

JIRA works by GRANTING access. You can't restrict access. By default, it grants access to the group used to logon (see Global permissions to see the "can use" groups and admin groups).  This is where users are getting their access.

1. The FIRST thing you need to do to get control is to remove any groups with logon privileges from the permission scheme unless you absolutely want everyone to have that permission.
2. Then I suggest you setup Project Roles for the various functions like, tester, QA, Browse Only, etc.
3. By using project roles, one permission scheme will cover all projects. The project admin controls project role membership
4. If the project leads want everyone that can logon access to the project they can add the logon group to a project role with the desired permissions.

This may be a big effort, but it will pay off down the road by making it easy to control access.

Most of the 'old timers' use project roles. It meets the best practice for security and gives complete control to the project lead for access to their project. JIRA comes with many project roles, but you can add more if you have a special need.

> The FIRST thing you need to do to get control is to remove any groups with logon privileges from the permission scheme unless you absolutely want everyone to have that permission.

So I went to Global Permissions, Permission Schemes and then when I open up a scheme I need to remove any reference to "Any logged in user". Is that correct? 

Is there any reason you wouldn't use groups instead of roles?