What controls who I can @ in JSM?

Yes, I understand fully what you're saying in terms of permissions. I don't recall encountering 'issue security' before. 

Issue security allows you to secure individual issues in a more widely shared project, doesn't affect who can mention, but it will limit who can be mentioned - no point in mentioning someone who can't see the issue.

It occurs to me that the "users they want to browse" aren't even necessarily Jira users as such. They could be anybody in the company up to and including the CEO. So is there a way to make that happen? Do we have to use licenses and create everyone in the company as some level of Jira user or in some group just so we can mention them? I suspect so but how to go about that? 

Mentions can only work if the account is known to Jira as a user.  So yes, you'll have to licence people to use the system if they are going to, well, use it (even if it's only for a mention)

Wow, this is super important so I'd better be sure I get it. So if we have 30 people currently licensed in JSM - and we have 100 licenses - I have to license everyone who I might mention? Or is that across all Jira licenses as we use Jira software as well. 

To mention someone, they have to have an account in Jira - the system has to be aware of them.  It doesn't matter how they get the account, via Core, JSM or Software.

Ok, that won't go over well at all but I'll let them know. 

Ok. I think I see a workaround here but I wanted to get your opinion. We are migrating over from Zendesk where they used cc (or some equivalent) for non-licensed users. So I can see us adding licenses perhaps for those users we frequently loop in. Is there a cc-like mechanism for non-users that will alert them even if perhaps not the most optimal solution? 

Not directly.  There are some functions which can let you send email, but they're not going to be related to mentions.

If you're moving to Jira Service Desk though, are you taking full advantage of the "customer" functions?  That are accounts you can talk to.  You can't mention them, but then there's no need to - communication with them is done through the portal channels.

Sigh. I got it. I mean I got the mention thing to work. I went over everything with a fine tooth comb. Then I went back over Alexandre's note. What was missing was the jira-software-users "Browse Project Permission." And then it worked! (For the record, we have almost 500 people licensed in Jira software.) If our HR people need to mention someone outside of that, well, we either grab another license or they email them. Anyway, thanks! 

Hi @Jim Stewart ,

I’m glad my and @Nic Brough -Adaptavist- considerations could help you.

I hope you have a great day!

BR,

Alexandre de Sousa.

Yes, I am a little slow getting it at times but once I get it I get it. I will say yours is the most granular software I've ever seen in terms of permissions. The default seems to be no (or little) permissions and then you have to add them as you go. 

You didn't seem slow to me!  It's software that has a lot of evolved complexities and it's hard to explain well, and I think you got it a lot faster than many people we've had similar questions from.

The default in a newly installed Jira is actually wide-open - you get a group that says "can log in", but it is then used by default in the permission schemes, so anyone who can log in gets access to all the projects and you have to do some work to get that removed after creating every project.

If you are seeing a default of little-or-no permissions and then add as you go, then I would guess that one of your admins has decoupled the "can log in" from "can see project automatically", which is a really good thing if you do need any limited-access projects.