Global Permissions: The group 'SYSADMIN' is not allowed to be added to the permission 'JIRA User'

John Westlund May 2, 2014

I've got an AD group for system administrators that I've given the all the other Jira permissions, but when I try and give the group the "Users" permission I get the error:
The group 'SYSADMIN' is not allowed to be added to the permission 'JIRA User'

I seem to be able to add any other AD group, just not this one. I don't see anything being reported in the logs. Is there setting I need to fix?

The issue appears to be the same as this question.

2 answers

1 vote
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
May 2, 2014

Jira is trying to stop you from accidentally granting ALL your users complete system admin rights.

  • If a group has either of the global permissions that grant "administrate Jira", then they have most, or all admin rights. All administrators can log in, even if they're not in the "Use Jira" permission (usually given to the group "jira users")
  • If a group is added to the "Jira user" permission, like "jira users" is by default, then the users in the group can log in.
  • The problem here is with new users. When you add new users, they automatically get added to ALL groups that are named in the "jira user" permission.

So... if you could do what you're trying to do, then from the point at which you did it, any new users you add would be granted system adminstration rights. Which is probably a bad idea.

Anyway, there's a really simple fix - don't do it. There's absolutely no point in adding admin groups in there. All the "use jira" permission does is let you log in. All administrators can log in as well. So they already have all the rights you'd be giving them by adding the group.

John Westlund May 2, 2014

That makes sense. Then how does a user with Administrative rights share a filter? It appears only Users have that permission.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
May 2, 2014

Ahh, that's another "global permission". You need to add the "sysadmin" group to the global permission "create shared objects"

That one doesn't have any quirks like the "can log in" one. Just add sysadmin, there's no side effects.

John Westlund May 5, 2014

Okay, I've switched the permisions but when I try and share a filter using a user in the "sysadmin" group I get back a page that says: "'User' does not have permission to access this page." The user can create new shared objects, as per the Global Permission, but cannot share.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
May 5, 2014

Ok, now that sounds broken. As long as they're in the sysadmin / can share objects permission, they should be fine. The fact you get offered the option means you've set it up right. But can you confirm where you're trying to share the filter from?

John Westlund May 5, 2014

On the Filter's page I click on the "Details" link next to a filter I have selected. An inline box pops up with the Owner, Permission and Subscriptions. Clicking on "Edit permissions" redirects me to the permission denied page. Likewise for the "New subscription" button.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
May 5, 2014

Hmm. You can only edit your own filter shares (admins can edit other people's filters via admin, not the filter views), but it shouldn't be offering you that option if you can't use it.

I think this might need to go to Atlassian support, it feels broken.

0 votes
John Westlund May 5, 2014

Looks like the accepted solution is "don't do that."

Peter Van de Voorde
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
May 8, 2014

Or just put all the people in your System Admininstrator AD group also in your jira-users group :)

Suggest an answer

Log in or Sign up to answer