Jira Project Admin role but also member of group with Developer role -- which permission wins?

Kristine_Mizukami March 25, 2024

Hi! I wanted to get clarity about the project roles in Jira.

In our organization, our SOP is to add groups to projects, not individuals.

But we do want to give more permission to the Project Leads so what I'm doing is in Project Settings > People, I gave the Project Lead person Administrators project role, then I added groups and gave them the Developers project role.

Sometimes though, the Project lead person is also a member of a group added to the same project, so he/she has both Administrator and Developer project roles.

In this case, which role will win?

Based on my experience with other systems, the lower permission wins, so it's Developer. Is this the same for Jira? Or will it be a combination of the permissions assigned to both project roles?

I hope my question is not confusing but would really appreciate your answer. Thank you in advance!

3 answers

3 accepted

2 votes
Answer accepted
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
March 25, 2024

Welcome to the Atlassian Community!

Neither "wins".  Atlassian systems have a simple permissive model (although there are ways to do individual restrictions at an item level).  If you give people admin, they can do admin things.  But just admin, until you let them in as something else as well.

A project lead with Admin and Dev can do everything you've set up for both Admins and Developers to do.  There's no "win", they just have two sets of (probably overlapping) permissions to do things.

One thing that often confuses people about Atlassian stuff is that they have a sensible but counterintuitive administration model.  Admin does not mean "can do anything", it means "can do admin"

My classic example of that is that I have had many jobs where I was the Atlassian system admin in large installations.  Picking one for numbers, as it was a full-time job, I really didn't need or want to see the vast majority of the 20,000 projects or 1 million issues there.  So, as an admin, I removed all my access to everything except the Atlassian support, maintenance, and upgrade projects.

When someone raised a support request, as an admin, I could always temporarily let myself into their project to debug it.

TLDR: No, there's no "win".  If you grant a permission to an account, they can use it.

Kristine_Mizukami March 25, 2024

Hi @Nic Brough -Adaptavist- 

Thank you very much for the detailed explanation. I really appreciate the example you gave and fully understand this now. Thank you so much!

Like # people like this
0 votes
Answer accepted
John Funk
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
March 25, 2024

Hi Kristine - Welcome to the Atlassian Community!

There’s not really a who wins kind of conflict in Jira with permissions. There is a permission scheme attached to the project and then specific permissions are given to either groups or project roles or individual persons, for example. So if a person is in two project roles and they both have permission for that item, then they can just do it. It doesn’t really execute as one role or the other. 

Is there a specific example that you have in mind?

Kristine_Mizukami March 25, 2024

Hi @John Funk

Thank you very much for answering. I was coming from a Windows administrator point of view, but I did notice there are no "negative" permissions in Jira so I did think maybe the permissions will be just a mix.

For example: Admin can move tasks to other projects, and Dev is not given this permission. So for a person who is both Admin and Dev, will Dev win and he/she won't be able to move a task? (Windows admin thinking. Haha!)

But as all answers here, there isn't a "win" in Jira so the answer for this is the person will still be able to move tasks. I understand this now. Thank you so much!!

Like John Funk likes this
John Funk
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
March 25, 2024

Great! Sounds like you have a good handle on it now. Glad we were able to help.

Like Kristine_Mizukami likes this
0 votes
Answer accepted
Trudy Claspill
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
March 25, 2024

Hello @Kristine_Mizukami 

Welcome to the Atlassian community!

With Jira you are granting a user permissions, not denying them permissions. So the user will have all the permissions granted to each individual role to which they are assigned.

Example:if the Developer role has the Edit Issues permission but the Administrator role does not, a user assigned to both roles will have the Edit Issues permission.

Kristine_Mizukami March 25, 2024

Hi @Trudy Claspill!

Thank you so much. This is very clear. The "not denying" part makes so much sense. Thank you!

Like John Funk likes this

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
TAGS
AUG Leaders

Atlassian Community Events