I'm running JIRA over the cloud with different end clients having their own projects for issue management. Currently I've got users assigned to groups and then the groups assigned to project roles. When a project is created, I am using a project template that is tied to the project roles.
So what is happening...
When an end client clicks on the project listing, they can only see their project. Entering in another project they don't have access to doesn't show up in the autocomplete and as far as they know, there are no other projects. So this is working as expected. However, when they are on the issue creation page/modal, in the project dropdown, they are able to see all other projects.
I've tried fixing this in the Permission scheme, if I remove the project role from the Browse Project permission, the user can't see anything, not even their own project. I've tried adding an Issue Security Level, but that doesn't seem to affect the project drown down list, only who can see the issue once it is created.
Any advice on where to go?
https://support.atlassian.com/jira-cloud-administration/docs/manage-project-permissions/ is a good read on this, but it does focus on "creating a new scheme".
It's hard to do screenshots, there are three different views you might see depending on project type and system (more if you want to worry about different server/dc versions), they're time-consuming, I don't have time to do them all (sorry, I'm just a volunteer here) and the docs are usually better than anything I write.
For two of the three project types though, go to the project, hit the "project settings/admin" and look for the "permission scheme", click on that and then open it up the scheme. You'll find a lot of rows of permissions, one of which is "create issue"
The fields to the right are rules for "who can do this", they'll say things like
Create issue is given to:
In this example, obviously Bob can create issues, but you need to stop Bob, so you would need to:
When a user selects "create issue", it should only offer the projects that they can create issues in.
You are very close to what you need to do, but you need to look at the permissions for "Create issue", not "Browse project" (although you'll probably need to consider it if you make changes - if, for example, they both say "Role: users", you will need to think about how to separate them)