Service desk user permissions

Thanks Dirk,

I just tried it again:

1. Invited a new JSD team member 

2. I checked that only JSD was ticked (and thus group JSD-users)

3. I accepted the invitation on the invitee system, created a password and logged in.

4. Again I could see and browse all projects as that user, and not just the JSD project I expected as configured.

5. I checked the other poject settigs, and that new user is not listed in the People rea.

Maybe I am totaly misunderstandig how Jire assigns permissions. Thanks again for your assistance.

Hi @Deon Botha ,

You're missing one crucial step imo :)

Could you open up a JSD project and go to the Project Settings -> Permissions?

There you'll have a permissions called "Browse Projects", could you list what groups/users/roles are set there?

By inviting a user and giving him a JSD license he is able to use the JSD features if he has access to a project. Now he is automatically added to the JSD-Users group which good but that doesn't mean that that group actually has permissions on the project.

Thus, first check your project permissions (through the project settings -> permissions) and see what is listed under (at least) the browse projects permission

OK, thanks @Dirk Ronsmans - I am starting to see a picture.

So I have 2 types of Projects. Service Desk and the various dev projects. 

If I look at Permissions for the Service Desk Project, it has:

• Project Role (Administrators)
• Project Role (atlassian-addons-project-access)
• Project Role (Service Desk Team)
• Service Project Customer - Portal Access

If I look at the Dev (Classic Business) projects, they have:

• Project Role (atlassian-addons-project-access)
• Application access (Any logged in user)

Am I correct in that I want to remove "Application access (Any logged in user)" to stop a JSD agent from browsing projects?

Allright great!

So for the JSD projects I guess the jira-servicedesk-users group is probably added under the role Service Desk Team which is giving the new users access to the JSD projects.

For the Dev projects, they are indeed able to see them because of the blanket rule:

• Application access (Any logged in user)

That just means if they log in with either a JSW or JSD license they will have access.

Removing that permissions is one step indeed to block the JSD agents from accessing them but you will also need to add a new role/group to the permissions to make sure your Devs don't lose access to the projects too :)

If you just remove the "any logged in user" one it will also remove the devs.. so you need to make sure you grant them access specifically. (through a new role or a group)

There is this additional acces group which to me looks like the devs will retain access here:

• Project Role (atlassian-addons-project-access)

Not exactly, the 

• Project Role (atlassian-addons-project-access) 

is the access granted to any addons/apps you might install. It comes default when you create a project to be sure that addons have access to what they need without you having to grant them the rights manually each time.

So your devs (the people) will need to get access through another role (or group). I suggest creating or using a role as it is a lot more flexible and doesn't require you to adjust your permission scheme each time (you can just add a group or user to a role)

OK, I think I'm sorted now, thanks very much.