Users with browse users (global) permission are able to see all users in the system, even those in groups and projects they do not belong to. How to prevent this? Any help would be great, thanks!
The restrictions depend on the field in which you see these users. In the Assignee field for instance, a given user will only see the users with Assignable User permissions. There are no further restrictions based on the groups in which the users belong. This would be hell and would make sharing work a nightmare in any company-wide instance. Imagine if you could only share work with users who belong in all the same groups as you.
Side note: If you see all users in Assigned or Watchers or Reporter, this means that all users have these permissions in that specific project. If they don't belong there, you should take a look at the project roles and permission scheme of that project and make sure only the people who need this project have these permissions.
They can be listed as watchers - the point of the field is that you can include anyone you want.
If a watcher does not have "browse" permission in the project, then they will not be sent any emails though, as they can't see the issue (there are add-ons that allow you to breach that security and allow you to leak, but that's another conversation)
The logic for this is simple - how does JIRA know that a user you add as a watcher might not be added to the project later? It can't possibly know that, so the code is kept simple - if you can see a user, you can put them in as a watcher.
If I click on the watcher field and select a name from a person that doesn't have a role in the project, I got the message from Jira:
There was an error adding watcher
The user "username" does not have permission to view this issue. This user will not be added to the watch list.
Does this really make sense?
I assume, the main issue here is the Browse Users permission in the Global Permission section. You need this permission, in order to easily search an user, but the final check, if an user can added as watcher or not, occurs upon you click the selected user from the list. This is to late.
Yes, it makes perfect sense - if I am trying to involve Dave in my issue, but he can't see it at all, then there's a red flag that I need to get him added to the project, at least as a read-only user (which might not the same as "adding them to the project" in other senses)
It's even worse if I have to go hunting around for why Dave can't be added as a watcher. In this way, a) I can find him easily and b) get told why I can't add him.
If you limit the watchers field to the project, then you make problems for yourself - when project membership changes, you have to start editing fields on issues, which is not sane or useful, and, as I said, the point of watchers is to include people, so you want the whole list.
With reference to the point:
when project membership changes, you have to start editing fields on issues, which is not sane or useful, and, as I said, the point of watchers is to include people, so you want the whole list.
We have the situation when users became inactive, left the company, etc. The watcher field then is just history.
I have a concrete case, that users shouldn't be able to see all the users in the system. I tried to remove the permission from the browse users permission and was expecting, it would work by typing in the username. But it didn't work.
Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot