how do I blacklist a group from a project?

We have hundreds of users and dozens of projects. User management is linked to ldap and all users are part of the jira-users group. jira-users are by default in a role in every project which allows them to browse and create issues.

I have a couple of projects that I want to deny browse and create permission to a small group of users.

Can I do this without modifying every project, while continuing to allow new users to automatically be able to browse and create issues in the target projects? 

If I pull the blacklisted out of the jira-users group, then I have to modify every other project to include them explicitly. If I leave them in jira-users then how do I let everyone else browse/create?

It seems like I can't use the project role permissions to do this. So how do I do this?

1 answer

0 votes

In the project you want to protect, you need to change the membership such that the people in your "black list" do not get access. 

Take the example of "create".  The permission scheme probably says something like "Create:  role: users",  and then you have the group jira-users in the role of users in the project.  You need to take jira-users out of the role, replacing it with a group, or set of groups, that does not contain the people on the black list.

I hope your answer will help someone, but with hundreds of users who are sync'd through LDAP, I don't think I can use this answer. In order to not use the group which is sync'd with LDAP, I would have to create a non-sync'd group which will become quickly obsolete.

I need some method which overrides the default permission behavior, some way of making an exception for a small group.

I'm afraid there is no such method.  JIRA permissions are permissive and additive - you give people the ability to do stuff, and they then can.  Not give them and take away later.

Issue Security is the exception there, as it can hide individual issues from users you've previously granted browse permission to, but it is issue by issue (JIRA users can see all of project XYZ, but I've set a level on XYZ-1267 that says "only admins").  And it has nothing to say about permissions other than "can see issue"

Suggest an answer

Log in or Sign up to answer
Community showcase
Asked Dec 06, 2018 in Jira Ops

I'm John Allspaw, Ask Me Anything about incident analysis and postmortems

I'm John Allspaw, co-founder of   Adaptive Capacity Labs, where we help teams use their incidents to learn and improve. We bring research-driven methods and approaches to drive effective inciden...

5,619 views 22 17
View question

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you