Global Permissions: The group 'SYSADMIN' is not allowed to be added to the permission 'JIRA User'

I've got an AD group for system administrators that I've given the all the other Jira permissions, but when I try and give the group the "Users" permission I get the error:
The group 'SYSADMIN' is not allowed to be added to the permission 'JIRA User'

I seem to be able to add any other AD group, just not this one. I don't see anything being reported in the logs. Is there setting I need to fix?

The issue appears to be the same as this question.

2 answers

1 vote

Jira is trying to stop you from accidentally granting ALL your users complete system admin rights.

  • If a group has either of the global permissions that grant "administrate Jira", then they have most, or all admin rights. All administrators can log in, even if they're not in the "Use Jira" permission (usually given to the group "jira users")
  • If a group is added to the "Jira user" permission, like "jira users" is by default, then the users in the group can log in.
  • The problem here is with new users. When you add new users, they automatically get added to ALL groups that are named in the "jira user" permission.

So... if you could do what you're trying to do, then from the point at which you did it, any new users you add would be granted system adminstration rights. Which is probably a bad idea.

Anyway, there's a really simple fix - don't do it. There's absolutely no point in adding admin groups in there. All the "use jira" permission does is let you log in. All administrators can log in as well. So they already have all the rights you'd be giving them by adding the group.

That makes sense. Then how does a user with Administrative rights share a filter? It appears only Users have that permission.

Ahh, that's another "global permission". You need to add the "sysadmin" group to the global permission "create shared objects"

That one doesn't have any quirks like the "can log in" one. Just add sysadmin, there's no side effects.

Okay, I've switched the permisions but when I try and share a filter using a user in the "sysadmin" group I get back a page that says: "'User' does not have permission to access this page." The user can create new shared objects, as per the Global Permission, but cannot share.

Ok, now that sounds broken. As long as they're in the sysadmin / can share objects permission, they should be fine. The fact you get offered the option means you've set it up right. But can you confirm where you're trying to share the filter from?

On the Filter's page I click on the "Details" link next to a filter I have selected. An inline box pops up with the Owner, Permission and Subscriptions. Clicking on "Edit permissions" redirects me to the permission denied page. Likewise for the "New subscription" button.

Hmm. You can only edit your own filter shares (admins can edit other people's filters via admin, not the filter views), but it shouldn't be offering you that option if you can't use it.

I think this might need to go to Atlassian support, it feels broken.

Looks like the accepted solution is "don't do that."

Or just put all the people in your System Admininstrator AD group also in your jira-users group :)

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 27, 2018 in Portfolio for Jira

Introducing a new planning experience in Portfolio for Jira (Server/DC)

In the past, Portfolio for Jira required a high degree of detail–foresight that was unrealistic for many businesses to   have–in   order to produce a reliable long-term roadmap. We're tur...

2,663 views 18 21
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you