Best way to set up JIRA permissions for internal/external users company/team managed projects?

Emily Brol November 7, 2024

We use both company-managed projects and team-managed projects for our work. We have external clients that need access to one specific team-managed project but should not have access to any other projects.

Currently i have the following groups set up:

  • internal-staff
  • external-staff
  • jira-software-users (default access group)
  • site-admins

1. What is the best way to allow the external-staff to ONLY view/edit the specific team-managed project?

2. should i remove jira-software-users from all global permissions and only use internal-staff/external-staff to assign permissions?

3. is internal/external staff grouping the best way to do this? I was thinknig about creating a project role for the external-staff on the one project... but how do i give them permissions that only occur at the global level like 'browse users and groups' while also restricting them to only see the one project?

1 answer

1 vote
Trudy Claspill
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 7, 2024

Hello @Emily Brol 

Q1:

- All Team Managed projects need to have their Access Level set to Private, and the users that need access to them have to be explicitly assigned to roles in each one. With the Open and Limited Access settings, anybody with access to your Jira instance can see such Team Managed projects.

- Individual external staff members may still get invited to other Team Managed projects. There is no method to block that. Any Project Admin or Jira Admin would still be able to do that, granting them access to a project other than the single project to which you want to limit them.

- The Permission Schemes for the Company Managed projects need to be examined to ensure that none of the permissions are allocated to Public or Any Logged In User, and no permissions are granted to the external-staff user group.

- The best configuration for the Company Managed projects requires consideration for how much cross-project access is generally needed. Permissions can be allocated to User groups, Roles, individuals, and people specified in User fields in issues in those projects. If you want to prevent Project Admins from being able to inadvertently grant access to an individual in the External Staff, then you would want your Permission Schemes to use only User Groups. If the Permission Schemes use Project Roles, then a Project Admin could add an external staff member to a role in a project.

 

Q2:

If you don't use an IdP for user provisioning and group membership, you need to evaluate who can invite users to join your site, who can request access to your site, and whether or not those invitations/requests require approval. When users are added by invitations/access requests they will automatically be added to the jira-software-users group. Any permissions you give to that group could therefore end up granted to the external users. In that case I would recommend limiting the permissions allocated to that group to Global permissions like Browse Users, and use more specific groups for allocating permissions within projects.

 

Q3: 

I think I addressed this with my above responses.

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events