Restricting users to a single project
Hey there, Atlassian Community!
Since the very beginning of Jira Cloud application, Project permission is something that several teams have struggled to understand and configure. We have several articles and KBs that provide a path on how you can properly configure your project permissions, however, no one seems to properly address the following question in a simple way for both company and team-managed projects:
How can I restrict users' access to a specific project on my Jira site?
In this article, we will provide you with all the concepts to properly answer that question when using both Company-managed and Team-managed projects, keeping it as simple as it can be and referencing all relevant links if you want to go deeper into project permissions.
P.S: Project permissions aren't configurable when you're on the Free plan, so you must upgrade your Jira Cloud application to Standard or Premium to apply the steps of this documentation. You can check more detail about this in the documentation below:
How to know if I’m working with a Company or a Team-managed project?
You can tell the difference between team-managed and company-managed projects by going to your project sidebar.
In team-managed projects, the bottom-left of the sidebar says you’re in a team-managed project:
In company-managed projects, the bottom-left of the sidebar will state you’re in a company-managed project:
Now that you know which project type you are using, let’s check the steps to properly restrict them.
For Company-managed projects:
Notice that you must be a Jira administrator to configure permissions for Company-managed projects (Added to any groups with the Administer Jira global permission).
The permissions for company-managed projects are dictated by the permission scheme that is associated with the project. On company-managed projects of Jira Software and Jira work management, all the projects are created sharing the same default permission scheme (One for Jira software, another one for Work Management).
The same logic explained in this article can be applied to Jira Service management (JSM projects) as well. The only difference is that this project type creates a single permission scheme for each project you create.
You can check the related permission scheme by navigating to your project > Project settings > Permissions:
-
The Browse projects permission is the one that provides users with access to view and navigates through the issues of the project. That being said, this is the one that we must edit to properly restrict the project to a specific team/user.
-
Besides other options, your project permissions can be associated with Users, Groups, and Roles. To keep it simple and functional, we suggest using Groups and Roles to define it (We will provide the instructions to achieve that in the next steps of this article).
-
By default, the option “Application access (Any-logged in User)" is always added to the Browse projects permission in the permission scheme used for new projects created. That means that all the newly created projects are accessible to every logged-in user by default.
As the projects of Jira are initially configured to allow any logged user to access, it is required to restrict ALL the projects of your site by editing the default permission scheme(s) and setting the permission(s) with the proper groups/roles, allowing your teams to access only the specific project they need. Basically, these would be the steps:
- Add the users to specific Groups - Define/create a group for each team that must have access to different projects in the Jira site. This documentation provides you with the steps to do it.
- Add/create any Project Role to the Browse projects permission in your shared permission scheme. You can do this by following the path below:
Navigate to any project using that permission scheme > Project settings > Permissions > Edit- Relate the Groups to the Project Role you configured in step 2 for each project you have - Project roles are configured by project, so you will be able to use the same permission scheme between your projects. However, you must define which groups will be related to the project role for each project you have. You can do this by following the path below:
Navigate to the project > Project settings > People > Add People- Remove the “Application access (Any-logged in User)" from the permission scheme by:
Navigating to any project using that permission scheme > Project settings > Permissions > Edit
Why add groups to roles instead of using groups directly in the permission scheme?
Groups are global while Project Roles are configured per project. Explaining better, if you add a group to the browse projects permission in your permission scheme (Under project settings > Permissions), all the users in that group will be able to access ALL the projects using that same permission scheme.
Now, if you add a group to a project role (Under Project settings > People) and add that project role to the browse projects permission in your permission scheme (Under project settings > Permissions), the users in that group will be able to access only the specific project where that group was configured with that project role.
You can check the exact step-by-step to achieve the scenario explained above in the KB below, including a video with the exact menus you should go:
How to restrict project access for teams in Jira Cloud | Atlassian Cloud | Atlassian Documentation
For more details about company-managed permissions, you can refer to the links below:
For Team-managed projects:
Notice that you must be a Project administrator to configure permissions for Team-managed projects (Added with the role Administrator under project settings > Access).
Different from company-managed projects, the permissions of team-managed projects are configured individually and can not be shared between multiple projects as they are not configured with a permission scheme. This project template uses a simplified set of permissions (Defined under Project settings > Access) that can be configured with the following options:
Open. When a project is open, anyone on your Jira site can view, create and edit issues in your project. With this access level, Jira gives anyone who logs into your Jira site the Member role in your project.
Limited. When a project is limited, anyone on your Jira site can view and comment on issues in your project. But, they can't edit them or create new ones. With this access level, Jira gives anyone who logs into your Jira site the Viewer role in your project.
Private. When a project is private, only Jira admins and people you add to the project can see it in their project directory or its issues in search results.
To achieve your scenario for team-managed projects, you must follow the steps below:
-
Set each of the team-managed projects in your site as "Private” (Under project settings > Access > Change project access)
-
Add and remove the users from your project (Under project settings > Access > Add People), using the Roles you want (Viewer, Member, Administrator)
To know what kind of permissions each role provides and check more details about team-managed permissions, you can check the documentation below:
Related Community topics:
Two ways we’re simplifying how to create projects in Jira
How to associate Permission Schemes with user Group
Team-managed vs Company-managed
How can I change project type from team managed to company managed project?
Was this helpful?
Thanks!
Petter Gonçalves
About this author
Support Engineer - Atlassian Team
Atlassian
1,122 accepted answers
1 comment