Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Permission strategy for Jira access by external users

Nihar Kumar Dalai
Nihar Kumar Dalai May 26, 2023

We are opening up Jira access to external users (not part of our Organization AD) . So we have created a group for these users (let's call it ext-grp ) and they are able to access Jira and the required projects meant for external users. However, for security reason we must put in place a restriction so that Project Admins of other internal projects can't add these external users accidentally. All internal users are part of an internal group (let's call it int-grp)

All internal projects use a scheme where browse access is provided to Project roles. So if the admins add external users with these roles, they can access these internal projects. If instead of project roles, we use internal group int-grp , then everyone in the organization will have access to all internal projects. And we have 100s of internal projects, we can't create dedicated group for each project.

Considering this, what should be a better strategy here ?

Comment
Watch
Like Be the first to like this
595 views

1 comment

Comment

Log in or Sign up to comment
Graham Twine
Graham Twine
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 26, 2023

Hello @Nihar Kumar Dalai ,

 

Even though you have 100s of projects. I am sure projects can be categorized into those used by departments.

 

Even with that said, one needs to control access to projects with groups in an organization.

1. Disable the internal User Directory.

2. Make the AD directory read only users and groups.

3. Assign department groups to project roles

(In my case people are never given direct access to project roles or to permission schemes)

 

This is still not enough as people with project admin privileges can assign people directly to project roles and this breaks the on boarding and off boarding processes defined in the organization.

 

You can prevent this by never adding people to the Project Admin privilege.

I have written a custom plugin to prevent project admins from administering project roles. We have an automated process to do this in an external system.

 

In short, one cannot have a trivial access system to manage a complex implementation.

Like
Reply
Nihar Kumar Dalai
Nihar Kumar Dalai May 31, 2023

Thank you @Graham Twine  for the response!

It will be heck of a task to make such changes at this stage and for all the projects. At least can we write a custom script to alert when an external user is added to a project?  

Like
groups-icon
Data Center
TAGS
AUG Leaders

Atlassian Community Events

    See all events