It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

How do I prevent users from seeing/accessing projects that they are not assigned to?

I have multiple projects, but not all users work on all projects. I only want a specifc user to see and access only the project he is assigned to. How do I do this?

5 answers

To expand in a bit more detail. Here is how you get from a given User, to Permissions at the Project level.

  • Users --> Groups --> Role --> Permissions

We have 8 different Roles set up in JIRA; Administrators, Analysts, Developers, Managers, QA, Source, Users, Clients. To Add/Edit/Remove Roles, use shortcut g+g and type Roles.

Most of our Permission Schemes are set up using Project Roles exclusively. There are a few exceptions that use Current Assignee , such as Edit Issues permission will commonly have:

  • Project Role (Administrators)
  • Project Role (Analysts)
  • Project Role (Developers)
  • Project Role (QA)
  • Current Assignee

While the Close Issues permission will have:

  • Project Role (Administrators)
  • Project Role (Analysts)
  • Project Role (QA)

After you have your Roles and Permission scheme setup, and locked down to your needs, what you do next is up to you. You have two options from here.

1. Remove the Groups from the Roles section of a project, and add specific users to each role on a per project basis

or

2. Create project Groups, add these groups to the Project Roles, and add users to these groups.

#1 will require a bit more maintanence. In order to keep track of who is assigned on which project, the administrator will have to navigate to each project individually and look at the Roles section, and see who is listed where. Any changes needed across multiple projects is a bit daunting.

#2 has a bit more set up, but is easier to maintain, because you can see who has access to all, or any given project from a single screen (User Management), and make changes there. Want to add a new QA hire to 6 out of 15 projects? Simply bring up that user, click Add Group, CTRL+Click all of groups who's permissions corrilate to each of the projects you want, and click Add. You've just added that user to 6 projects, and given them the exact permissions they need on each of those projects at the same time. Need to restrict visibility of a project? Simply remove that user from those corresponding groups.

We use model # 2 for our business. We maintain it by using the Project Key as part of the group name. For example, if we have a project called Operations, we use OPS-Admin, OPS-Analysts, OPS-Dev, etc, as the group names, one for each of the Project Roles. In our model, we typically assign out 2 groups per user. The OPS-User group will give the ability to browse the project OPS, along with create issues, add attachments, comments, and so on (based on our Permission Scheme setup). And, we also give them the group for the specific role they are fulfilling, such as OPS-Dev if they are a developer.

Someone has an answer for this topic?

0 votes

Remove ALL access to projects that is done via "can log in" (look in global permissions to find out what goups are named in "can log in" - by default, it's "jira users").

Then rebuild everyone's general access using other groups or roles, except for this one user.

I ran into this topic while searching for something else. Recently I've been testing this against the old view. For the old view, what I can say is that I've found this to be true: 

IF you grant PROJECT SCHEME PERMISSION > BROWSE PROJECT
to the GROUP these users are in (any group)
because of PERMISSION SCHEMES are SHARED, GROUP members can see EVERY PROJECT sharing that SCHEME,
EVEN IF that GROUP has NO GRANT to the global BROWSE permission.
ELSE they see only their own projects.

IF you apply PROJECT PERMISSION > BROWSE PROJECT
to the ROLE
the user has to be in the PROJECT with THAT ROLE to see a project they are ASSIGNED TO
and CANNOT VIEW OTHER PROJECTS, even if the PERMISSION SCHEME is shared by multiple projects UNLESS the user is a member of some of those other projects also.
* I have not tested how this config behaves if the user is a member of two projects with the same permission scheme, but user is in two different roles, one that allows browse project at the role level and one that does not.

*NOTE: IF you remove all of the user's GROUPS from GLOBAL BROWSE capabilities, they will not be able to @MENTION any users in comments, or from what I can tell, see users in system-default user-based drop downs. It's a JIRA limitation that the community can't seem to find a workaround for.

Suggest an answer

Log in or Sign up to answer
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you