Assignee or reporter can't see issue with issue security scheme set

Hi,

I've created 'Assignee, Reporter and Developers' issue security scheme with 'Current assignee', 'Project Role (Developers)' and 'Reporter' groups to be allowed to see the issues (based on https://confluence.atlassian.com/jirakb/how-to-limit-user-to-only-browse-issues-assigned-to-or-reported-by-them-779160753.html guide)

User is able to create issue but can't see the issue afterwards (whether he is assignee or not) unless I add user to Developers group. 

User is added to Users role for the project (via group). 

Even if I add user (as a Single User) to Security Scheme he still can't access the issue.

Thanks in advance,

Alex

 

2 answers

1 vote

Is the user definitly part of a group or role that gives them the 'Browse projects' permission for the project in question?

You mention a 'Users' role for the project, but it's possible this only grants people permission to create issues, but not browse the project.

If you set security level on a particular issue to 'none', can the user see it?

Hi Sam,

Thanks you for your answer.

1) No he is not given access to Browse projects. As there is absolutely no point in having Security scheme if user is given access to Browse Projects.

If I add user permission to Browse projects he is able to see All issues in the project regardless of security scheme/assignee/reporter (and I want to restrict internal issues from the client)

Related issues:

https://jira.atlassian.com/browse/JRA-34389

https://jira.atlassian.com/browse/JRA-31720

 

2) No, even if I set security level on a particular issue to 'none' user still can't see it.

Regards,

Alex

If you don't give 'Browse projects' somehow, then the user will never be able to see any issues in the project. That's why they can't even see the issues with with no securty level set.

'Browse projects' is the basic permission anyone needs to see an issue within the project. 

Then you use the issue security scheme on top of that to restrict the visibity of specific (or all) issues.

You can avoid those bugs you linked, because you don't need to grant the 'Browse projects' permission to 'Reporter' or 'Current Assignee'.

Instead, grant 'Browse projects' to your 'Users' role. 

To keep your issues secure, make sure all issues get your 'Assignee, Reporter and Developers' security level. Make it the default security level and bulk change any existing issues to set it.

That way, people in your 'Users' role will be able to browse the project, but they will only be able see the issues when they meet the conditions of the security level set on each issue. 

Making sure every issue has 'Assignee, Reporter and Developers' level set will stop your non-developer users from seeing all issues.

Sam Hall Community Champion May 12, 2017

Essentially, what I'm decsribing there is the workaround given in both the bugs.

Looks like I messed it myself.

When originally set all the permissions I haven't updated the security level for older issues so that's why I could still see those with this restricted user. Done bulk update and now it works as expected.

Thanks for helping me to sort out this!

Best regards,
Alex

Ah right. I think i see what happened:

You orginally had given the 'Users' role 'Browse projects', but saw that they could see older issues, so took it away.

But 'Browse projects' wasn't the cause, it was that the old issues didn't have security level set.

So the fix was:

  • Give 'Users' role back 'Browse projects'
  • Bulk change old issues to set correct security level

Is that right? Worth confirming if you can, in case if helps someone else with the same problem.

Yes, that's exactly what happened and how it was fixed!

 

Also the default security level should have been set to new issues:


1. Choose [cog]> Issues.
2. Select Issue Security Schemes to open the Issue Security Schemes page.
3. Click the scheme name, or the Security Levels link in the Operations column, to open the Edit Issue Security Levels page.
a) To set the default security level, locate the appropriate Security Level and click Default in the Operations row.

Source: https://confluence.atlassian.com/adminjiraserver071/configuring-issue-level-security-802592414.html

Sam Hall Community Champion May 12, 2017

Awesome : ) Glad to help.

Suggest an answer

Log in or Join to answer
Community showcase
Emilee Spencer
Published Friday in Marketplace Apps

Marketplace Spotlight: DeepAffects

Hello Atlassian Community! My name is Emilee, and I’m a Product Marketing Manager for the Marketplace team. Starting with this post, I'm kicking off a monthly series of Spotlights to highlight Ma...

54 views 0 3
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot