Jira admin's tips to secure sensitive information with permissions & security configuration

Every project or team operates differently, even within the same organization. Customizing Jira ensures that you're capturing the right information, adhering to specific workflows, and facilitating collaboration processes efficiently for all users. 

As a Jira admin, you play a pivotal role in harnessing the power of Jira and tailoring the tool to the specific needs of your users. One of the most critical aspects of administering Jira is to set up the right security and permission for appropriate access to data. 

In this article, we’ll discuss security permission in Jira and how to implement it for different use cases. 

Overview of security and permissions in Jira

Jira lets you control who can access and perform actions at the project to issue levels through permission schemes and issue security schemes. These schemes manage user access to issues and their visibility, but they don't offer fine-grained control over field values within an issue.

Permission schemes

This configuration governs access to various functions and actions at both the project and issue levels. You can create and configure permission schemes that determine who has permission to edit or view issues. You can assign permission schemes to respective projects.

Tailor your permission schemes by assigning users and groups to project roles. You’ll need to define a new permission scheme and associate with the relevant projects, typically, similar projects would share the same scheme to avoid redundancy. 

In this example, we’ve added the ‘HR Permission scheme’ for all projects within HR department. Particularly, only project admins and HR user group can perform specific actions, while other users can access them in read-only mode.

For team-manage projects, the access permission is applied to individual project. 

 

Issue security schemes

While permission schemes manage broad access, issue security schemes allow you to restrict who can view specific issues or their details. This is particularly valuable when handling sensitive or confidential data.

You can configure security levels and associate them with specific issues. Users who don't have the necessary security level won't be able to see the restricted information.

From the Permissions configured in the example above, we can establish additional security levels to differentiate the user’s job role. 

 

We’ve defined different access for HR Manager and Team Members as below:

So we can now limit issue access to only those who need to see sensitive HR information such as Contract issue type. Simply select the appropriate level when creating the issue: 

However, this operates at the issue level and doesn't restrict access to individual field values within an issue.

Next, let’s talk about more issue customization & configuration for different layers of security requirements. 

Fields configuration and field-level security

In Jira, you can also configure field-level security for custom fields. This allows you to restrict who can view or edit specific custom fields on an issue-by-issue basis. In some cases, this feature may require additional plugins or extensions.

Custom fields and field behaviors

Jira allows you to create custom fields to capture specific data. You can define the behavior of these fields, including whether they are mandatory or optional, and set default values. While this doesn't control access to the field, it does control its behavior, including whether the field is hidden or visible for a particular issue type.

Learn more: Specify field behavior | Atlassian Support

Field context

Another simple method is to associate custom fields with specific issue types, projects, or screens. This means you can control which fields appear on which issues, but this is primarily about customizing the user interface, not restricting access to field values.

Learn more: Edit a custom field context | Atlassian Support

Automation rules

Jira automation allows you to create rules that automate actions in response to various triggers. While you can't directly restrict access to field values, you can use automation to enforce rules such as changing a field value based on certain criteria or triggering actions when a particular field changes.

Learn more: Edit issue fields with Jira automation | Cloud automation Cloud | Atlassian Support

Field-level security using third-party apps

Depending on your specific requirements, you might find third-party apps for Jira that offer more advanced control over field-level permissions. These apps can extend Jira's capabilities and allow for fine-grained control over who can edit or view field values.

Marketplace search results for field-level security apps: Search for apps | Atlassian Marketplace  

Typically, you can define a new custom field for your specific project and issue type and then, configure field permission accordingly. It will hide the field value from unauthorized users, while they can still see generic information about the issue.

For example, personal contact information of employee ticket:

 

While robust security measures are essential, it's equally crucial to balance security with usability. Overly restrictive permissions can hinder collaboration and productivity. Therefore, it's vital to regularly review and refine your security and permission configurations to ensure they align with your evolving project needs.

Do you have any tips that you'd like to share? I'd love to hear your thought in the comments!