Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Permission strategy for Jira access by external users

We are opening up Jira access to external users (not part of our Organization AD) . So we have created a group for these users (let's call it ext-grp ) and they are able to access Jira and the required projects meant for external users. However, for security reason we must put in place a restriction so that Project Admins of other internal projects can't add these external users accidentally. All internal users are part of an internal group (let's call it int-grp)

All internal projects use a scheme where browse access is provided to Project roles. So if the admins add external users with these roles, they can access these internal projects. If instead of project roles, we use internal group int-grp , then everyone in the organization will have access to all internal projects. And we have 100s of internal projects, we can't create dedicated group for each project.

Considering this, what should be a better strategy here ?

1 comment

Graham Twine
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 26, 2023

Hello @Nihar Kumar Dalai ,


Even though you have 100s of projects. I am sure projects can be categorized into those used by departments.


Even with that said, one needs to control access to projects with groups in an organization.

1. Disable the internal User Directory.

2. Make the AD directory read only users and groups.

3. Assign department groups to project roles

(In my case people are never given direct access to project roles or to permission schemes)


This is still not enough as people with project admin privileges can assign people directly to project roles and this breaks the on boarding and off boarding processes defined in the organization.


You can prevent this by never adding people to the Project Admin privilege.

I have written a custom plugin to prevent project admins from administering project roles. We have an automated process to do this in an external system.


In short, one cannot have a trivial access system to manage a complex implementation.

Thank you @Graham Twine  for the response!

It will be heck of a task to make such changes at this stage and for all the projects. At least can we write a custom script to alert when an external user is added to a project?  


Log in or Sign up to comment