Controlling Customer Access Across Multiple Service Desks

I have tried all the options given and none seem to work.

@Paul Boorer , find a customer that can see projects that they should not be able to see. go to the offending project and check to see if the customer is anywhere in the Customer list. Be sure to check both the root customer level as well as and organizations. Visibility of projects in the Help Center is controlled thru the Customers function.

Hi @Jack Brickey 

I mean in the Help Center

I have tested this and an external user that sends a request to a Service Desk and then creates an account to manage the request can navigate to all other Service Desk's Help Center Request Raising screen.

Ideally they'd only see the one for the SD that they have raised an issue in

did you check what i suggested? are these customers listed in the other projects. The way it should be working is like this...

Project 1 has customer A, B, C, D

Project 2 has customers A, X, Y, Z

If A logs into portal then they will see Project 1 and Project 2 and can open requests for either.

B,C,D will only see project 1

X,Y,Z will only see project 2

so if you don't want "A" to see Project 2 please make sure they are not a customer of Project 2. If you confirm that they are not a customer of P2 and indeed they can see P2 then please reach out to Atlassian Support.

@Jack Brickey, I think the issue arises when you want to allow users to sign-up.

If it's not feasible to to manually administer users via the "Who can access the portal and send requests to <Service Desk Name>? Customers my team adds to the project" option, there is no way to keep individual service desks "private". See the note from the original post:

***Note: When I flip this over to "Anyone can send a request via the portal or <servicedeske-mail>", this opens the respective portal up to be visible by all customers. This appears to be the key point of failure. However, at least one project needs to have this option to allow for Sign Ups...

Essentially, there's no way to allow sign-ups for a project unless it's available to "Anyone". So it isn't possible to allow only users to access a "private" portal in order to sign-up for an account with access to that portal only. What's missing from your scenario is I have customer M (out of a customer base of hundred or thousands; thus it is not feasible to manually add these customers in advance), who isn't currently a user in any SD project. How do they get access to only Project 2? The (unfortunate) answer is that they have to be added manually, which then sort of defeats the purpose of sign-ups (within multi-SD instances; sign-ups obviously function as intended when you allow "Anyone" permission, say in the case of a single SD instance).

There is some additional system behavior that occurs when a project is open to "Anyone", the project auto-adds all existing customers in any project to the target/Anyone project. I feel that if it were at least possible to manage this aspect, we might be able to achieve a desired functionality, but based on the response I received from Atlassian (see above post), that's not in the mix as of current.

Alternatively, let's say I have Project 3 - which is set to "Anyone" access. What happens is that all customers (A, B, C, D, X, Y, & Z) are immediately added as customers in this project. Then, customer M is able to request access via a sign-up. Customer M should really only have access to Project 2, but this isn't feasible, because they also have access to Project 3 due to Atlassian default adding all customers to the project. So there are two issues:

1. Customer M still doesn't have access to Project 2 (which now requires a licensed user to manually add them to Project 2) and
2. Customer M does have access to Project 3 and ideally, shouldn't (at least not without taking some extra steps to discover it, since it is open to "Anyone"; if a licensed user were at least able to remove them from the customer list of Project 3, that would be a start, knowing full-well that they may find the Project 3 portal of their own accord)

Using: Service Desk Cloud Version

I have successfully figured out how to fully isolate all of our customers from one another in the Help Center.  Here's how I did it.

• Go to your project's settings -> Customer Permissions
• In the "Who can access the portal and send requests to The [Customer Name]?" section, use the "Customers my team adds to the project" option

Doing this will now hide this project from the pool of projects in the Help Center.  Once I did this for all customers, this meant that there were no projects visible now for my test user.  

Next, on the Customers page, add an 'Organization' (pretty much a group of people) to the project (if you don't have one already).  Now, any users that you add in this organization will only be able to access to the portal of the project(s) that they are included in.  

I really hope this helps someone out there as this has been a customer service nightmare for almost a year now.

That's correct. Unfortunately, that may not be scalable in all instances (which was my original need - an unidentified pool of potential users).

Hi @Jack Brickey

RE: Your questions:

First, for sure if you choose “anyone” for a project under customer permissions then any customer from any client could become a customer of that specific project. However, that should have no impact on access to project that have “customers my team adds.

Correct. The issue is basically that I can't establish more then one or two projects to allow for granular control over who can access a customer portal in this manner. Our clients simply have too many potential users. I'd like to keep projects where my team is having to add users to an absolute minimum.

do I understand correctly that you have a single JSD instance and you have chosen to implement a project per client? Or do you have multiple clients per project?

We have one instance of all Atlassian products in use (Jira, Jira Service Desk and Confluence). Within our Jira Service Desk, there are multiple projects, one per client (and an "internal", test project). I don't feel that having multiple clients rolled into a single project (and then using organizations to control access) provides the necessary level of granularity we need for some clients (for some clients, we have ticket groups, and for others we don't). However, I fear that I may have to "hack" our test project to be the one project that does allow "Anyone" access, at least in order to generate a sign-up link (see original post RE: "dummy" portal).

are you using Organization feature? If so I assume you have grouped customer per client into orgs.

This is dependent. Given that we have so many potential users, we would have no clear way to identify their respective "organizations" within the client's structure (See above RE: single project). In some projects, if we know there are certain users who need to share requests (typically by the primary client contact verbalizing a request to do so), we do create an organization of those users (e.g. "Accounting" for Accounting Users). Given that in my desired experience, any user could potentially sign-up for an account, this would then require manual effort to assign users into organizations, which isn't necessarily a requirement (unless it becomes one based on JSD's functionality in order to achieve my desired experience; i.e. each project has at least one organization for the entirety of the client (e.g. Organization = Client); this may be used as a "safety net" to prevent the "bleed" you mention in your next question).

have you inspected the listed customers under each project to ensure you are not seeing customer bleed between projects/clients. This includes not having unwanted orgs in a project.

I'll need to do some more extensive testing now that I have all of my projects established. I was hoping to have an answer to this before opening up my projects to external users, as I don't really care for egg on my face. I've tested with a few accounts, but I'll need to setup some additional e-mail addresses to perform adequate testing. I only have one project that is currently exposed to external users, and that is for a small client that is able to be actively managed. However, in testing my additional projects, I was given pause based on my questions above prior to expanding the roll-out.

regarding your info above on JSD permission scheme I do not understand how/why Service Desk Customer are showing here at all. Permission Scheme is not for customers at all. Rather Customer permissions is to be used for all customer permission config. For sure customer would not and should not have all the permissions shown above. Maybe I am misreading this?

My understanding is that this was done upon initial creation of a JSD project (by default). As outlined in this article, I do believe these permissions to be correct. Presumably, just by nature of the user registering on a service desk, they would fall into the "Service Desk Customer - Portal Access" access category. If these permissions are not associated with this access category (or some other manner by which Service Desk customers would be granted such permissions - i.e. by role or group), then the Service Desk customer would not be able to perform any functions on the portal.

So, after additional testing this morning, I've reached the following conclusions:

1. In order to actually allow for Customers to create their own accounts, you have to get them to a sign-up page. In order for the sign-up pages to actually function, you have to have some combination of permission settings (i.e. "Anyone can send a request without logging in") that allow anyone to access. Otherwise, you receive an error message indicating:

This seems pretty contradictory.

2. Even if I were able to get a user signed-up magically, there does not appear to be a direct way to allow them to only sign-up into the respective project, so they would default be added to any/all projects allowing "Anyone" access. Then I would have to manually go and add them to a given project (and remove them from others; note: this does not work for projects allowing "Anyone"). Even if I provide an explicit sign-up URL specifying a certain portal, by nature of "Anyone" access in projects, they would be added to those projects, not necessarily the specific portal's sign-up URL project.

Surely this cannot be as intended. I'm very inclined to believe I'm missing something in my configuration, but given all of my trials thus far, I'm beginning to come around to the possibility that this functionality is not supported by JSD, which is frustrating because one would easily infer this functionality to exist by the nature of having multiple projects with dedicated configurations.