Browse users permission should be restricted to shared projects

Users with browse users (global) permission are able to see all users in the system, even those in groups and projects they do not belong to. How to prevent this? Any help would be great, thanks!

13 answers

1 accepted

This topic is old, see https://jira.atlassian.com/browse/JRA-7776

With JIRA 6.2 there is a "limited user picker" as announced here: https://jira.atlassian.com/browse/JRA-7659,  but this does not cover the watcher field.

The restrictions depend on the field in which you see these users. In the Assignee field for instance, a given user will only see the users with Assignable User permissions. There are no further restrictions based on the groups in which the users belong. This would be hell and would make sharing work a nightmare in any company-wide instance. Imagine if you could only share work with users who belong in all the same groups as you.

Side note: If you see all users in Assigned or Watchers or Reporter, this means that all users have these permissions in that specific project. If they don't belong there, you should take a look at the project roles and permission scheme of that project and make sure only the people who need this project have these permissions.

1 vote

They can be listed as watchers - the point of the field is that you can include anyone you want.

If a watcher does not have "browse" permission in the project, then they will not be sent any emails though, as they can't see the issue (there are add-ons that allow you to breach that security and allow you to leak, but that's another conversation)

The logic for this is simple - how does JIRA know that a user you add as a watcher might not be added to the project later?  It can't possibly know that, so the code is kept simple - if you can see a user, you can put them in as a watcher.

Right now I have a problem with the watcher field. Browsing for users to add them manually as watchers shows me the full list of all users, even those not playing any role in the project. I guess they can't be added as watchers, but they should not be listed.

My expectation is simple: Users not playing a role in the project should not be listed. The reason is, we don't want to show to everyone the users we have. This is also a matter of confidence.

0 vote

The whole point of the watchers facility is that people can be watchers without having to be a user in the project.

If I click on the watcher field and select a name from a person that doesn't have a role in the project, I got the message from Jira:

There was an error adding watcher
The user "username" does not have permission to view this issue. This user will not be added to the watch list.

Does this really make sense?

 

Yep, this is to be expected. In the Permission Scheme, there's a Watch Issues permission. Set it to the Viewer Project Role (and above), so that all users who are at least viewer can be watcher

Sorry, not true what I just said. They need the Browse Project permission.

I assume, the main issue here is the Browse Users permission in the Global Permission section. You need this permission, in order to easily search an user, but the final check, if an user can added as watcher or not, occurs upon you click the selected user from the list. This is to late.

0 vote

Yes, it makes perfect sense - if I am trying to involve Dave in my issue, but he can't see it at all, then there's a red flag that I need to get him added to the project, at least as a read-only user (which might not the same as "adding them to the project" in other senses)

It's even worse if I have to go hunting around for why Dave can't be added as a watcher.  In this way, a) I can find him easily and b) get told why I can't add him. 

If you limit the watchers field to the project, then you make problems for yourself - when project membership changes, you have to start editing fields on issues, which is not sane or useful, and, as I said, the point of watchers is to include people, so you want the whole list.

With reference to the point:
when project membership changes, you have to start editing fields on issues, which is not sane or useful, and, as I said, the point of watchers is to include people, so you want the whole list.

We have the situation when users became inactive, left the company, etc. The watcher field then is just history.

I have a concrete case, that users shouldn't be able to see all the users in the system. I tried to remove the permission from the browse users permission and was expecting, it would work by typing in the username. But it didn't work.

0 vote

I'm afraid that the watchers field is not of any use unless you can draw everyone in, that's why it's been done the way it has.

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

3,216 views 13 19
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot