Managing users' access in Jira using groups

Thank you for your response, Walter.
I switched it to Browse Project and its showing the same result (See screenshots below). However, the user has reported that he can access all our projects. 

Also, the status is confusing. It says, Mark has the permission after a cross sign.
Mark's user details is also included below.

Please advise!

Hi @Nelphy Rose Siby,

I do not know how your environment is configured, so it is hard to tell what exactly is going on. If the user says he can access all projects and that is as intended, then you have an important thing covered.

I do understand that you want to (and should) understand your own settings, obviously. My guess is that the permission scheme(s) you use are granting permissions to any logged in user (or even public access, but I rather think any logged in user). That means that anyone logged into Jira automatically can access any project using that permission scheme without the need of any additional configuration. That would explain why Mark has access.

As to the messages you see in the permission helper, that rather points in the direction that the account you used to run the checks may not have all the required permissions to properly analyse the project permissions. You may be lacking project admin permissions, which may explain why Jira can't properly retrieve the actual permission name you are trying to validate.

On a final note, I would recommend not to share user information in so many details here (referring to the screenshot of Mark's user profile). This is a publicly available forum, so if you share user details, blank out key details like mail addresses etc.

Got it, Walter.

This is what I intended to do. Mark is one of our clients and we want to give him access to his project only. I added him as an user and added him to a newly created group. This group is included in the Browse Projects section of the Permission scheme (created a separate one for Mark's project) along with my organization's users. (see screenshot below).

The remaining projects in my Jira cloud are using the default scheme and this scheme's browse project permission is configured as shown (note that Mark is not a part of either the Group (jira-software-users-tunagroup) or the Project Role (atlassian-addons-project-access)). 

My understanding is that, if it is configured this way, then Mark should only be able to browse the projects using the MGM scheme and not the default scheme. 

Please see the screenshots shown below and let me know if there is any other setting I need to do so that I can restrict Mark from seeing projects other than his own. 

Hi @Nelphy Rose Siby,

If these are the only schemes you are using, the default scheme is linked to all projects except Mark's and the MGM scheme is linked Mark's project only, then this should work (in terms of just granting access).

However, a couple of notes:

• I see that you use groups in your permission schemes to grant permissions. While that works technically, it is not really best practice. It is recommended to use project roles in your permission schemes (such as administrator, developer, ...) and link user groups to those roles in each project (Project settings > People). That would allow you to limit the number of permission schemes and delegate user management to project administrators.
• You seem to have removed the project role atlassian-addons-project-access from the second project. Put it back 😅! This role is required for app functionality to properly work and may be the reason why you are getting strange results from the permission helper
• By granting the browse project permission in the new permission scheme, you allowed the user(s) just to see the project and what's in there. But you need to enable all the other permissions that you want to give your users too. To create issues, you do need the Create issues permission. Or to change the status of an issue, you need Transition issues permission, and so on. For more details on all permissions, see this support article. 

Will definitely try this. Thank you, Walter