I've created 'Assignee, Reporter and Developers' issue security scheme with 'Current assignee', 'Project Role (Developers)' and 'Reporter' groups to be allowed to see the issues (based on https://confluence.atlassian.com/jirakb/how-to-limit-user-to-only-browse-issues-assigned-to-or-reported-by-them-779160753.html guide)
User is able to create issue but can't see the issue afterwards (whether he is assignee or not) unless I add user to Developers group.
User is added to Users role for the project (via group).
Even if I add user (as a Single User) to Security Scheme he still can't access the issue.
Thanks in advance,
Is the user definitly part of a group or role that gives them the 'Browse projects' permission for the project in question?
You mention a 'Users' role for the project, but it's possible this only grants people permission to create issues, but not browse the project.
If you set security level on a particular issue to 'none', can the user see it?
Thanks you for your answer.
1) No he is not given access to Browse projects. As there is absolutely no point in having Security scheme if user is given access to Browse Projects.
If I add user permission to Browse projects he is able to see All issues in the project regardless of security scheme/assignee/reporter (and I want to restrict internal issues from the client)
2) No, even if I set security level on a particular issue to 'none' user still can't see it.
If you don't give 'Browse projects' somehow, then the user will never be able to see any issues in the project. That's why they can't even see the issues with with no securty level set.
'Browse projects' is the basic permission anyone needs to see an issue within the project.
Then you use the issue security scheme on top of that to restrict the visibity of specific (or all) issues.
You can avoid those bugs you linked, because you don't need to grant the 'Browse projects' permission to 'Reporter' or 'Current Assignee'.
Instead, grant 'Browse projects' to your 'Users' role.
To keep your issues secure, make sure all issues get your 'Assignee, Reporter and Developers' security level. Make it the default security level and bulk change any existing issues to set it.
That way, people in your 'Users' role will be able to browse the project, but they will only be able see the issues when they meet the conditions of the security level set on each issue.
Making sure every issue has 'Assignee, Reporter and Developers' level set will stop your non-developer users from seeing all issues.
Looks like I messed it myself.
When originally set all the permissions I haven't updated the security level for older issues so that's why I could still see those with this restricted user. Done bulk update and now it works as expected.
Thanks for helping me to sort out this!
Ah right. I think i see what happened:
You orginally had given the 'Users' role 'Browse projects', but saw that they could see older issues, so took it away.
But 'Browse projects' wasn't the cause, it was that the old issues didn't have security level set.
So the fix was:
Is that right? Worth confirming if you can, in case if helps someone else with the same problem.
Yes, that's exactly what happened and how it was fixed!
Also the default security level should have been set to new issues:
1. Choose [cog]> Issues.
2. Select Issue Security Schemes to open the Issue Security Schemes page.
3. Click the scheme name, or the Security Levels link in the Operations column, to open the Edit Issue Security Levels page.
a) To set the default security level, locate the appropriate Security Level and click Default in the Operations row.
Hey admins! I’m Dave, Principal Product Manager here at Atlassian working on our cloud platform and security products. Cloud security is a moving target. As you adopt more products, employees consta...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG