In Jira core it's possible to have user permissions access restricted to specific projects and other features.
I'm hoping to understand the possibility with Jira Service Desk.
If I wanted to create a user (so they can obtain an API key) and restrict them to only have access to a subset of tickets (based on a custom field value), would this be possible? (in Jira Service Desk, not Jira Core)
Hi @Robert Cuellari ,
If you want them to have access to only specific issues within a project (you can of course restrict their access to only specific projects just like in Core) you can use a feature called issue level security.
Based on a security level (available on all cloud plans except Free) they will be blocked to see issues if they don't belong to that specific security level.
You could use that custom field value if you want to run some automations and set the correct level but that depends on the whole use case.
Thanks @Dirk Ronsmans for the quick feedback.
This doesn't feel very intuitive for me. There's a few follow up questions I have.
This doesn't make much sense to me.
I'm hoping to achieve the following.
In Jira service desk there is an Organizations field. I would like to create a Jira user who only has access to the tickets where Organizations field value = (and their value here).
Is it possible to do this? It doesn't look like issue security scheme and permission schemes can meet this requirement, unless if I'm horribly misunderstanding the user interfaces.
Hey @Robert Cuellari ,
With a permissions scheme you cannot achieve this that's just a high level permission.
With the issue level security you can do this but you'll have to do some more action than just saying "organization = value"
What you would do is:
You can make it more dynamic by linking the security level (in your scheme) to a custom group field so you only need one level and base "who" can see it based on custom field.
Setting the level on the issue itself can be a manual action or through an automation.
It's not as straight forward as you had hoped but I'm afraid (at least what I can think of) is the only solution to really restrict visibility
Thank you. I'll have to dig into this more, but it feels overly complicated. I also want to make sure that none of these issue level securities will impact all other service desk tickets from other customers. Intuitively, it doesn't feel like I can ensure this without some automation (outside of what can be configured). Am I correct in this assumption?
Wanted to add to this.
If I set a security level it will restrict that particular issue to whatever the security level is. (assuming I can figure this part out).
For all remaining issues, I will need to set up other security levels.
It looks like the security level is more of an "Allow List" and not a "Block List". Even though I could set some Allow security settings for a subset of tickets, what happens to that user for all the remaining tickets?
I would need to set up a security level for all tickets where organization != X, and then assign those tickets a particular security level to restrict to internal usage only.
This sounds overly complicated and I'm not sure it won't have additional caveats.
Well there shouldn't be any impact to other customers.
You basically start with a security level of "None", meaning no security level assigned = everyone can see who has access to the project.
So you start wide and then start limiting issues. Impact to other customers should be little to none.
Thanks, my concern is that the user that we create in Jira Service Desk has access to read and write to the tickets via API only for a subset of given tickets within one project. I don't see how to set any kind of restrictions to a single user (that could have an API key associated with that user.)
I would like to point out here that I'm talking about Agents. (so the people handling the tickets).
If you are talking about customers who can create tickets through the portal or the API well then things are different of course. So maybe that's a nuance we need to look at.
Just want to make sure that you are aware of of the difference between customers and agents.
Understood, I wasn't sure if a customer can actually have an API key generated for them.
Under that assumption I felt like I might have had to create a service desk agent user for this specific use-case. Is there a way to set up a customer and generate an API key for them?
Thanks again for the quick responses.
A security level is indeed a Allow list but you can opt to not set a security level on most tickets so that just means "no security applied".
If we look for a customer then they can only see what they created or what their organization has created (if shared) so then it becomes a none issue right?
It all depends on what side of the tool you are looking. Are you trying to restrict the Agent's view or the customer's view. A customer is by default limited in what they can see due to the share option/customer permission and the organization(s) that they belong to.
For an Agent then we need to look at security levels.
Then I feel like we can ditch the issue security.
If we really are talking customers then they are already limited out of the box to see what they created (or what is shared with them/their organization).
To create those issues programmatic they can use the REST API which has specific parts for Servicedesk/Service Management
And example would be the creation:
As to the fact if you need an agent license and then "raise on behalf", that's something we'll/you'll have to investigate. I feel like if you have access as a customer this should work..
As I haven't created this specific use case myself yet I cannot guarantee all the steps tho without building it.
Sorry to reopen, but I checked the documentation and it doesn't look like it's possible to create any credentials as a customer to make API requests.
It looks like a token is required and it doesn't appear like there is a way to generate a token as a customer.
Am I overlooking something?
Hey @Robert Cuellari ,
Let's see if I can find something. From the documentation I feel like it should be possible with a customer only user too as this part:
raiseOnBehalfOfis not available to Users who have the customer permission only
states that the options is not available if you have a customer permission only (so a customer should be able to do it).
I'll try and investigate it a bit further to see how a customer only can authenticate through the api.
On October 20, 2021, Atlassian published a security advisory for Jira Service Management. The full advisory is available at this link. We've seen a number of questions already asking for...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events