"Application access grant to" meaning on Permission schema.

Luis Mazzoni July 1, 2021

Hello Community,

I'm working on a set of permission which It have to be assigned to a group of users which they have to collaborate with a particular project only.  This people don't belong to our organization.  So we add those account as guest and they were included on a group and the group was assigned the "viewer" role on that specific project.  

After one of that outsiders got into that project the could see (and browse) all other projects hosted on our company Jira site.  So I researched a bit and Permission schema topic comes to me.  I analyzed all the features that are set on our Company default permission schema and I notice that after modifying "browse project" permission this particular project was pulled off from the list that our outsider users are able to see.

In "granted to" section of "browse projects" configuration row I have two options I) Project Role II) Application access so I just removed application access item and I replaced them with Group and after that I maped this schema with company defined groups where the outsiders does not belong to.

This setting works fine, but I'm not sure why application access are set to "browse projects" feature and many other security options into the permissions schema.  Of course that everything that I've told before was deployed on a test instance, but I have to deploy this on production as soon as I can resolve this doubt.

Thank you very much!

Best regards.

2 answers

1 accepted

1 vote
Answer accepted
John Funk
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 6, 2021

Hi Luis - Welcome to the Atlassian Community!

Unfortunately, the only way to do this is to modify the Permission Scheme used by all of the projects to not include the outside organizations. I could actually create a new scheme based on a copy of the Default Permission Scheme. 

Then modify it as needed and attach the new scheme to all of your projects. That way if it needs to be changed for just some projects, it won't affect the Default. 

Then I would create new projects based on existing projects so that it picks up the new scheme and you don't have to always come behind and replace it. 

Luis Mazzoni July 6, 2021

Hello John, nice to meet you!

Thank you so much for so detailed explanation, I really appreciate that! .
Yes, I totally agree with you, I have to create a new schema and modify it in order to work "isolated" and to do not affect all the projects which permissions are default schema's based.  

But my question is how could affect the user access to all our projects if I replace [Application Access: Any Logged In user] for [Group: MyCustomGroup] in the "browse projects" section?
I've tried with this configuration and it was enough to "hide" those projects which I can't show to the outside users, but I'm not sure if this is the right choice to reach my goal. 

Thank you for your assistance!

Regards 

Like John Funk likes this
John Funk
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 6, 2021

Basically, you have to have a group with all of your internal users in it - apart from just any logged in user. And then a separate group for the external people. 

Then you grant access to the internal group and don't add the external group. 

For the projects they need access to, you create another scheme that includes the external group with the internal group, or you can use the any logged in user for that one. 

Luis Mazzoni July 6, 2021

Thanks John, we are getting close to where I want to go. Ok, I can handle the separation of duties with groups, one for the outsiders and the other one for the rest of the company, what should I do then? I have to modify the actual permissions scheme (or make a new one) then go to Permissions> Find projects> Edit> add Group and assign one of the groups mentioned above (external or company).

After that, I should have to remove "Application Access" because this is set to "Any user logged in" and this setting should allow anyone to access to any project, even the external users.

Let me know if I have not been clear about it, please.
Thank you for your assistance! Sincerely!

John Funk
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 6, 2021

Okay, let's back up for just a minute. What type of project is this? Team-managed? Or Company-managed? 

Luis Mazzoni July 7, 2021

Hi John, I have both.  I've also noticed that limit access through "permission schema" works only with Company-managed projects.  It's that correct?

Thanks!

John Funk
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 7, 2021

Company-managed projects use the Permission Schema.

Team-managed projects use the Access function under Project Settings. 

Luis Mazzoni July 7, 2021

Thank you John for clarifying that point but the my first question was, what could happen if I remove "Application access -> Any logged in user"  from every permission configured in the schema and then I replace this (Application access) for "Group" and then assign it all the users which I want to allow to view that projects?

Regards!

John Funk
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 8, 2021

That will work but, again, you are mixing terminologies with your project types. 

Team-managed projects do not use schemas - just Access. 

Company-managed projects use schemas, but not "Access".

So, for a Team-managed project you can change the Access to Limited, and then add a group to a role to control who can see it. 

For Company-managed project, you can change the Permission Scheme for the project to change the Browse Project permission to the group you want to see it and drop the Any Logged in user option. 

Like Luis Mazzoni likes this
Luis Mazzoni July 8, 2021

All right John, that's the answer I needed!
Ok I've totally understood the differences between Team-managed and Company-managed projects! Again thank you so much, now I have the right information to go ahead to resolve the issue that I have. 

Thank you!!!! best regards, 

Like John Funk likes this
John Funk
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 8, 2021

Great! Glad to help.

1 vote
Trudy Claspill
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 1, 2021

Assumptions are made in the default permission scheme deployed with the Jira product concerning to whom you are most likely wanting to grant permissions. One such assumption is that you will want all users who have access to Jira to be able to see all the projects. Browse Projects is the permission that enables users to see the project content. So, the Browse Projects permission is granted to Application Access: Any Logged In User.

Luis Mazzoni July 1, 2021

Thank you Trudy! My concern is that these external users (outsiders) they can see and browse all projects that we exist in our Jira instance (yes, I was talking about default permission scheme).  In order to limit access to any other projects except the one that they must access, I modified the schema and -in browse projects- section replace [Application Access: Any Logged In user] > [Group: MyCustomGroup] and it did work! but the I'm not sure that this was the right solution or if I will have a big problem when I will deploy this setting in Production.

Thanks!! 

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
PERMISSIONS LEVEL
Site Admin
TAGS
AUG Leaders

Atlassian Community Events