I'm a fairly new Cloud JIRA administrator, but I had a bunch of projects, workflows and kanban boards set up.
I have recently made a new project and during the internal testing, User_A told me he could @mention anyone from the whole JIRA instance in comments in Project_A.
I have checked it, and both a Test user belonging to the same groups and having identical permissions and logging in as User_A through the Admin panel I could not reproduce the issue.
Turns out he was using the mobile app the whole time. He gave me a bunch of example names from other projects Project_B and Project_C he has no access to (and users from these projects have no access to the Project_A).
Once I took away "Browse Users" permission from the group he belonged to, he couldn't @mention anyone, neither through web nor through the app. Apparently, for mobile, the description is taken literally ("View and select users or groups from the user picker, and share issues. Users with this permission can see the names of all users and groups on your site."), though for web it is that minus users who have no viewing rights for the issue - which effectively makes it work on "per project" basis (which is great, since Atlassian will not make).
The only setting for mobile I could find was "enable/disable" in the Project Summary screen.
Am I missing something or this is a security bug?
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot