Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Interests
See all
Community resources
Top groups
Explore all groups
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,556,538
Community Members
 
Community Events
184
Community Groups

Permission strategy for Jira access by external users

Nihar Kumar Dalai
Nihar Kumar Dalai May 26, 2023

We are opening up Jira access to external users (not part of our Organization AD) . So we have created a group for these users (let's call it ext-grp ) and they are able to access Jira and the required projects meant for external users. However, for security reason we must put in place a restriction so that Project Admins of other internal projects can't add these external users accidentally. All internal users are part of an internal group (let's call it int-grp)

All internal projects use a scheme where browse access is provided to Project roles. So if the admins add external users with these roles, they can access these internal projects. If instead of project roles, we use internal group int-grp , then everyone in the organization will have access to all internal projects. And we have 100s of internal projects, we can't create dedicated group for each project.

Considering this, what should be a better strategy here ?

Comment
Watch
Like Be the first to like this
150 views

1 comment

Graham Twine
Graham Twine
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 26, 2023

Hello @Nihar Kumar Dalai ,

 

Even though you have 100s of projects. I am sure projects can be categorized into those used by departments.

 

Even with that said, one needs to control access to projects with groups in an organization.

1. Disable the internal User Directory.

2. Make the AD directory read only users and groups.

3. Assign department groups to project roles

(In my case people are never given direct access to project roles or to permission schemes)

 

This is still not enough as people with project admin privileges can assign people directly to project roles and this breaks the on boarding and off boarding processes defined in the organization.

 

You can prevent this by never adding people to the Project Admin privilege.

I have written a custom plugin to prevent project admins from administering project roles. We have an automated process to do this in an external system.

 

In short, one cannot have a trivial access system to manage a complex implementation.

Like
Nihar Kumar Dalai
Nihar Kumar Dalai May 31, 2023

Thank you @Graham Twine  for the response!

It will be heck of a task to make such changes at this stage and for all the projects. At least can we write a custom script to alert when an external user is added to a project?  

Like
Reply

Comment

Log in or Sign up to comment
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

See all events