Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to grant READ ONLY access to a user via a Permission Scheme

Susan Molnar
Susan Molnar October 24, 2011

I have a Permission Scheme that controls several projects. I would like one user in our organization to have READ ONLY access to the projects controlled by this Permission Scheme, but can't seem to figure out how to do it.

I tried giving that user "jira-user" (basic login) rights only, then adding them as a single user to the "Browse Projects" permission in the Permission Scheme. I did NOT add them to any other permission in that scheme.

The results were that the user could, indeed, browse all the projects BUT ALSO COULD CHANGE STATUS on any issues within those projects. That isn't what I want. I want that user to have only READ ONLY access to the projects and NOT be able to perform any status changes, actions, edits or other actions on any issues.

Thanks to anyone who can help!

Smolnar

Answer
Watch
Like Dave Donnelly [Sensata] likes this
3241 views

5 answers

0 votes
Alan elfert
Alan elfert October 26, 2011

You need to add conditions to the workflow transitions for these projects. Your issue here caused me to review my workflow transitions and I found where I didn't have conditions for some. I also confirmed my anonymous users could transition issues when they should not be able to.

I added the conditions and confirmed that this took the ability to transition issues away from them. I'm pretty confident this will take this ability away from your read only named users as well.

Reply
0 votes
Peter Shiner
Peter Shiner October 25, 2011

You should also check that Mr/Ms. Read Only is not inheriting edit permissions because the issue is Assigned/Reported or is Project Lead and thereby getting permission to edit.

Reply
0 votes
Jo-Anne MacLeod
Jo-Anne MacLeod
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 25, 2011

If its only one user (and won't ever change) then you can give browse permission to an individual user (its one of the options there).

View More Comments
Susan Molnar
Susan Molnar October 25, 2011

Thanks, Jo-Anne, but that's actually what I tried first. :(

Like
Jo-Anne MacLeod
Jo-Anne MacLeod
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 25, 2011

Have you used the jira-user group anywhere? If so then that is why they have more permissions than you want. I always recommend against using the jira-user group in any permission scheme for just this sort of reason.

Like
Susan Molnar
Susan Molnar October 25, 2011

The only use of "jira-user" is that all my users belong to that group EXCEPT the user I'm trying to give read-only access to. But the "jira-user" group is NOT referenced anywhere in my Permission Scheme.

Like
Jo-Anne MacLeod
Jo-Anne MacLeod
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 25, 2011

now I'm confused. The user needs to be in the jira-user group in order to be able to log into the system. How is he logging in?

Like
Susan Molnar
Susan Molnar October 25, 2011

Oh, I'm not sure what you can see in terms of others' answers, but my second try was based on the following suggestion from another person in this forum:

The user group "jira-users" is used several places in the system. A clean method would be to create a new user group "jira-viewers" and in Administration->Global Permissions grant the group the "JIRA Users" permission. (A bit confusing). Then assign the the user to that user group so that they can log on. Then you can go back to Administration->Permission Schemes and add/assign the user group you just created, "jira-viewers", to the "Browse Projects" permission.

The user who views is not added to any other "jira-" user groups nor are they assigned any Project Roles.

Global Permissions (JIRA Users <=> Logon) is assigned to a user group and then that user group is enabled in the Permission Scheme for the project(s) to Browse Projects.

Like
Peter Shiner
Peter Shiner October 25, 2011

...hence the idea of a brand new group "jira-read-only" to contain this one user who is a member of only this group.

Like
Jo-Anne MacLeod
Jo-Anne MacLeod
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 25, 2011

OK, I think that I now understand why this is happening. I duplicated your problem. I created a test user and assigned them as a single user to the permisison. They could view only exactly as I wanted. however, they could still transition through the workflows. What I would need to do is restrict the workflow steps to a particular group of people. A group that doens't contain this user. Yuck. Really, really big yuck. I'll investigate to see if I can think of a better solution for you.

Like
Jo-Anne MacLeod
Jo-Anne MacLeod
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 25, 2011

however, if you haven't restricted the ability to transition an issue to a particular group of people how would this new group work. they would still have permission to transition

Like
Peter Shiner
Peter Shiner October 25, 2011

I made my test Mr. Read Only able to Edit one issue by:

1) Adding Mr. Read Only to the jira-users group.

2) Assigning the issue to him.

3) Adding in the permission scheme the ability for the Current Assignee to Edit issues.

4) Removing Mr. Read Only from the jira-users group. Now only in jira-read-only group.

5) Mr. read Only can now edit issue 61 but no other issue.

As a side effect of this test, and the reason for the group jiggering, is that it appears if a user cannot edit the issue you cannot assign the issue to them. Don't know if this is true always but was that way initially on issue 61 in my JIRA instance.

Like
Reply
0 votes
Peter Shiner
Peter Shiner October 25, 2011

Susan, One answer may be that you are not using the same Permission Scheme with the project you are trying to protect. I did this in a simple system with one Project and one Permission Scheme (in JIRA 4.4.3). The only actions I was able to perform was "Vote" and "Watch". No other options appeared. Even in the GreenHopper Task board I could not do a workflow transition.

A second answer may be permission inheritance via the system group "Anybody". I would also check to see if "Anonymous" or "Anybody" was granted any rights that "Mr/Ms. Read Only" could be inheriting. This could be in the Permission Scheme or via a Project Role.

View More Comments
Susan Molnar
Susan Molnar October 25, 2011

I appreciate your patience as I try to work this out, Peter!

I do know for sure that the projects I'm trying to protect are all using the same Permission Scheme. I'm not sure what to look for regarding your "Anybody" or "Anonymous" question. Could you explain how my "Mr. Read Only" could inherit rights from either of those, if my user is only in that single group? Would I look in the Permission Scheme to see if there are rights given to "Anybody" or "Anonymous"?

Here's the Browse Projects permissions for my Permission Scheme. Note that the Project Role (All Users) is just a rename of the (Users) Role, and my read-only user is NOT in the group that is associated with that Role.

Browse Projects
Ability to browse projects and the issues within them.
  • Project Role (All Users) (Delete)
  • Single User (enterprise-hosted-support) (Delete)
  • Group (jira-readonly) (Delete)

Thanks,

Susan

Like
Peter Shiner
Peter Shiner October 25, 2011

What is the Permission Scheme definition for Edit/Move/Resolve/Close Issues?

Like
Reply
0 votes
Peter Shiner
Peter Shiner October 25, 2011

Smolnar,

The user group "jira-users" is used several places in the system. A clean method would be to create a new user group "jira-viewers" and in Administration->Global Permissions grant the group the "JIRA Users" permission. (A bit confusing). Then assign the the user to that user group so that they can log on. Then you can go back to Administration->Permission Schemes and add/assign the user group you just created, "jira-viewers", to the "Browse Projects" permission.

The user who views is not added to any other "jira-" user groups nor are they assigned any Project Roles.

Global Permissions (JIRA Users <=> Logon) is assigned to a user group and then that user group is enabled in the Permission Scheme for the project(s) to Browse Projects.

Peter

View More Comments
Susan Molnar
Susan Molnar October 25, 2011

Peter, I followed your instructions exactly (with the only exception being that I named my new group "jira-readonly" instead of "jira-viewers") but got the same results (user able to change status on issues).

However, I did NOT know if you were indicating another step in the process by your last sentence, "Global Permissions (JIRA Users <=> Logon) is assigned to a user group and then that user group is enabled in the Permission Scheme for the project(s) to Browse Projects" so my implementation did not include anything related to that statement.

Here's what I did:

1. Created new group named "jira-readonly."

2. Added that new group to the GLOBAL PERMISSION "JIRA Users."

3. The global "JIRA Users" permission now has two groups: jira-users and jira-readonly.

4. I put my user into that group and that group only.

5. I edited the Permission Scheme for the projects I want the user to have read-only access to by adding the new group "jira-readonly" to the Browse Projects permission.

6. I logged in as my user, navigated to an issue in one of the projects controlled by the Permission Scheme, and found that I could still select workflows and move the issue from one status to another.

Did I miss something?

Thanks

Susan

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events