Creating a Read Only user in Jira

Elior Odinak December 12, 2018

I need to create a read-only group in Jira. I went ahead and created one and only gave them "Browse Project" capability. From what I understand, I now need to go into each workflow and set a condition so that all other groups can transition in the workflow other than my read-only group.

Is there a way to set a condition that just says read-only CANNOT transition in the workflow? Otherwise I have to add like 5 conditions to each transition to each workflow for all my projects. Is there a way to add just one condition that simply states that this group is the only group that cannot do this?

Alternatively, is there a simpler way to set up a read only group in Jira? It was super easy in Confluence, but does not seem to be as straight forward a set-up in Jira.

2 answers

1 vote
Leo
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
December 12, 2018

Hi @Elior Odinak,

 

If you are on jira 6.3 or above you will be seeing "Transition Issues" permission in permission scheme, and If you are not adding your read-only group/user here they won't have permission to make any transitions 

 

tran-issues.png

Elior Odinak December 13, 2018

I didn't add the group there and the user can still transition. The only permission they are added to is the Browsing permission, so they can see the projects. 

Leo
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
December 13, 2018

Hi @Elior Odinak,

 

Can you give more details on this

Jira version? if it is on 6.3 or above check this "Transition Issues" permission who are all having access/permission

Elior Odinak December 13, 2018

Jira Software Cloud. 

I checked the transition issues permission and the only ones who have access are "Application access: Any logged in user" and some Project role for atlassian add-ons. So not my group or role that I created for Read Only users.

Leo
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
December 13, 2018

Hi,

That makes sense here, "Any logged in user" is like giving access to all users 

so anyone has access to browse your project, they can make the transitions too

If you are having access to modify permission scheme then you need remove "any logged in user" and add the "group/project role" whom you want to grant access for making transitions

This page may help in permission scheme configuration:  https://confluence.atlassian.com/adminjiracloud/configuring-project-permission-schemes-868982875.html 

Elior Odinak December 13, 2018

Ok so according to that logic I would need to remove any logged in user from all the permissions (which is a lot of permissions) for all my projects, since that is how it is set up at default.

Joe Pitt
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
December 13, 2018

Yes. Out of the box JIRA has a terrible security model. 

JIRA works by GRANTING access. You can't restrict access. By default, it grants access to the group used to logon (used to be JIRA-users but may be different on your version).  This is where they’re getting the access from.

 

  1. The FIRST thing you need to do to get control is to remove any groups with logon privileges from the permission scheme unless you absolutely want everyone to have that permission.
  2. Then I suggest you setup Project Roles for the various functions like, tester, QA, Browse Only, etc.
  3. One permission scheme will cover almost all projects. The project admin controls project role membership

 

This may be a big effort, but it will pay off down the road by making it easy to control access.

 

Most of the 'old timers' use project roles. It meets the best practice for security and gives complete control to the project lead for access to their project. JIRA comes with many project roles, but you can add more if you have a special need.

Elior Odinak December 13, 2018

Thank you all for the explanations. 

0 votes
Raynard Rhodes
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
December 12, 2018
Elior Odinak December 12, 2018

Yes, I read this one. The issue I have is I'm going to need to add like 5 conditions to every transition to 3 separate workflows. I was wondering if there was a way to add 1 condition that says this group is the group that DOES NOT have permission to do this. The way this is set up, the condition is for a particular group that CAN do this action which means I need to add every group vs just adding 1 group that can't do it. Hope that makes sense.

Suggest an answer

Log in or Sign up to answer