expected result: In Jira Service Management I want to allocate internal users into organisations so that each internal user can see and edit tickets that belong only to their organisation.
Current result: Internal users are not able to see tickets reported by them + the tickets of their organisation, instead they see only all other tickets created by other internal users from other organisations.
Steps I have already taken to solve this: I have created security levels in security schemes and chosen certain internal users that need to be included in automation.
Then I allocated each internal user to their corresponding organisation ( adding customers in organisations). Then I have created an automation (screenshot attached).
Please advise guys which parts I am doing wrongly or maybe I missed something?
Hi @Yura Hayrapetyan and welcome to the community!
Adding users to organizations should be sufficient. I would make sure that the project's permission scheme - Browse Projects permission isn't too loose. By default it should only be open to:
If you have say, "Any logged in user" set here, that would be a big no no that would override any type of portal permissions that you're trying to establish.
Welcome to the community. To supplement what @Mark Segall mentioned, one thing that you mentioned in your ask was "Internal users see and edit tickets" which I am a bit concerned - What do you mean by internal users? + what do you mean by edit tickets? In general, JSM issue editing are only performed by Agents (users with JSM licenses).
Best, Joseph Chung Yin
Jira/JSM Functional Lead, Global Infrastructure Applications Team
Hi @Joseph Chung Yin
Thanks for your quick reply. By internal users I meant agents indeed. I just managed to understand root cause of "agents do not see their own created tickets" which was resulted by the added security levels.
to sum up - I have added a,b,c,d agents (company employees) to x,y,z organizations (clients) under a common Jira Service Management project. But all agents can now see all tickets of the project. Instead, I'd like each agent to see/edit tickets only of the organization to which they belong to.
Thanks for the clarity @Yura Hayrapetyan and nice catch @Joseph Chung Yin. Organizations are only meant for portal users. They have no impact on your agents. Agents will have access to all issues in the project by default.
You can go the route of issue level security, but you'll need to revisit your whole permission scheme. Here's a step-by-step on issue level security:
Another option you may want to consider is setting up separate JSM projects for each team. It would probably be the easiest method for segmenting the work.
Based on my understanding that Agents (by default) will see all issues within a project. I would recommend that you setup your issue security security level with individual level - one for each organization. Within those security level include only the specific agent that supports each organization.
NOTE - You should also need to check the customer permissions "Customer sharing" option associated with your project (via Project settings >> Customer permissions) to ensure that it is set to "Customer can search for other customers within their organization".
Hope this helps.
Thank you @Joseph Chung Yin@Mark Segalllthough I have set the issue level security as mentioned above, and I configured an automation for it already but it did not work, I will have a look again at your shared articles and reflect back asap.
p.s. please see attached the screenshot of the automation I configured eariler
The security levels are setup and In each organization there are at least 3 agents, and some of these agents appear in other organizations as well. In Automation I setup for each organization there is a separate security level calling out, but still cannot achieve the expected result
Saying did not work I meant I kept receiving some errors: Actor does not have permission to view one or more issues, or the issue was deleted (please check permissions and issue security levels):
For your automation rule, you must add the rule actor as a member to your issue security configuration for each security level that you established.
So each security level will include the automation rule actor in the call out.
Hope this helps.
thanks @Joseph Chung Yin for your quick response.
It did help, now I managed to restrict the agents by organizations, however as a result I got into another problem: the customer that creates a ticket from the portal cannot view it, and I receive an error in automation.
Can you please help me on this as well?
...eturns true if any content is returned for the webResponse.body.data.first s...