Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,361,403
Community Members
 
Community Events
168
Community Groups

How to restrict internal users to see only certain organizations' tickets?

Hi guys!

expected result: In Jira Service Management I want to allocate internal users into organisations so that each internal user can see and edit tickets that belong only to their organisation.

Current result: Internal users are not able to see tickets reported by them + the tickets of their organisation, instead they see only all other tickets created by other internal users from other organisations.

Steps I have already taken to solve this: I have created security levels in security schemes and chosen certain internal users that need to be included in automation. 
Then I allocated each internal user to their corresponding organisation ( adding customers in organisations). Then I have created an automation (screenshot attached).

Please advise guys which parts I am doing wrongly or maybe I missed something?

 

5 answers

2 accepted

2 votes
Answer accepted
Mark Segall Community Leader Sep 20, 2022

Hi @Yura Hayrapetyan and welcome to the community!

Adding users to organizations should be sufficient.  I would make sure that the project's permission scheme - Browse Projects permission isn't too loose.  By default it should only be open to:

  • Project Role (Administrators)
  • Project Role (atlassian-addons-project-access)
  • Project Role (Service Desk Team)
  • Service Project Customer - Portal Access

If you have say, "Any logged in user" set here, that would be a big no no that would override any type of portal permissions that you're trying to establish.

hi @Mark Segall
thanks for the prompt response. The permission scheme is not loose. it is set like you  just described.

0 votes
Answer accepted

@Yura Hayrapetyan -

Welcome to the community.  To supplement what @Mark Segall mentioned, one thing that you mentioned in your ask was "Internal users see and edit tickets" which I am a bit concerned - What do you mean by internal users?  + what do you mean by edit tickets?  In general, JSM issue editing are only performed by Agents (users with JSM licenses).

Please advise/clarify.

Best, Joseph Chung Yin

Jira/JSM Functional Lead, Global Infrastructure Applications Team

Viasat Inc.

Hi @Joseph Chung Yin
Thanks for your quick reply. By internal users I meant agents indeed. I just managed to understand root cause of "agents do not see their own created tickets" which was resulted by the added security levels. 
to sum up - I have added a,b,c,d agents (company employees) to x,y,z organizations (clients) under a common Jira Service Management project. But all agents can now see all tickets of the project. Instead, I'd like each agent to see/edit tickets only of the organization to which they belong to. 

Mark Segall Community Leader Sep 20, 2022

Thanks for the clarity @Yura Hayrapetyan  and nice catch @Joseph Chung Yin.  Organizations are only meant for portal users.  They have no impact on your agents.  Agents will have access to all issues in the project by default.

You can go the route of issue level security, but you'll need to revisit your whole permission scheme.  Here's a step-by-step on issue level security:

https://support.atlassian.com/jira-cloud-administration/docs/configure-issue-security-schemes/

Another option you may want to consider is setting up separate JSM projects for each team.  It would probably be the easiest method for segmenting the work.

@Yura Hayrapetyan -

Based on my understanding that Agents (by default) will see all issues within a project.  I would recommend that you setup your issue security security level with individual level - one for each organization.  Within those security level include only the specific agent that supports each organization.

NOTE - You should also need to check the customer permissions "Customer sharing" option associated with your project (via Project settings >> Customer permissions) to ensure that it is set to "Customer can search for other customers within their organization".

Hope this helps.

Best, Joseph

Thank you @Joseph Chung Yin@Mark Segalllthough I have set the issue level security as mentioned above, and I configured an automation for it already but it did not work, I will have a look again at your shared articles and reflect back asap.

p.s. please see attached the screenshot of the automation I configured eariler

Screenshot 2022-09-20 at 20.46.18.png

@Yura Hayrapetyan -

Can you provide more information on "it did not work"?  

I assumed your security levels are setup, so each one of them only calls out the specific Agent?

Best, Joseph

The security levels are setup and In each organization there are at least 3 agents, and some of these agents appear in other organizations as well. In Automation I setup for each organization there is a separate security level calling out, but still cannot achieve the expected result

Saying did not work I meant I kept receiving some errors: Actor does not have permission to view one or more issues, or the issue was deleted (please check permissions and issue security levels):

hi @Joseph Chung Yin @Mark Segall I have checked the automation and security levels, still the problem is not solved, can you please advise the further possible steps ? Thanks!

@Yura Hayrapetyan -

For your automation rule, you must add the rule actor as a member to your issue security configuration for each security level that you established.

So each security level will include the automation rule actor in the call out.

Hope this helps.

Best, Joseph

thanks @Joseph Chung Yin  for your quick response.
It did help, now I managed to restrict the agents by organizations, however as a result I got into another problem: the customer that creates a ticket from the portal cannot view it, and I receive an error in automation.
Can you please help me on this as well?
Thanks!

this is the error I receive now in automation : 

Action details:
Actor does not have permission to view one or more issues, or the issue was deleted (please check permissions and issue security levels

@Yura Hayrapetyan -

In your Issue Security configuration, did you include "Reporter" call out for the security level definition?

Best, Joseph

Screenshot 2022-09-21 at 16.02.03.png
@Joseph Chung Yin no I did not, in fact I have only chosen "group" call out for every security level

@Yura Hayrapetyan -

When setting up Issue Security configuration, it is always recommended to add "Reporter" to the call out.  

Best, Joseph

Thanks @Mark Segall and @Joseph Chung Yin , you helped to to solve the problem guys!

hi @Joseph Chung Yin @Mark Segall I have checked the automation and security levels, still the problem is not solved, can you please advise the further possible steps ? Thanks!

0 votes

With Issue Security Levels, you can do something similar

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
PERMISSIONS LEVEL
Site Admin
TAGS
Community showcase
Published in Jira Service Management

An unofficial way to monitor a JSM mail handler for errors

...eturns true if any content is returned for the webResponse.body.data.first s...

716 views 3 20
Read article

Atlassian Community Events