Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,293,412
Community Members
 
Community Events
165
Community Groups

How does exactly issue level security work?

Hi,

I've a customer project that will be handled over to the customer for UAT. It means that I'll invite the customer to join JIRA to execute its tests there. Now, I don't wanna create a new project only for that sole purpose and I also don't want to show them the issues we've worked on until the hand over. I would like to show only the ones that concerns them (are created by their individual users, under the same role).
What is the best way of doing it? Is issue lever security a tool for that?

Thanks in advance,
Balázs

4 answers

1 accepted

14 votes
Answer accepted

You can do it with issue security schemes.   The most simple way to explain it is an example:

Create a security scheme with these three levels and their settings:

  • Private.  Role A, Role B, Role C
  • Confidential:  Role B, Role C
  • Classified:  Role C

Apply that to a project where Roles A, B, C and D all have "browse project".

On each issue, you can set the security level to "empty", or one of the three I've definied above.  Empty means A, B, C and D can see the issue.  Private effectively stops D seeing it, Confidential means only B and C, and Classified blocks all but C.

BUT.  If you really mean "I only want the Client Reporter and my internal Developers to see an issue", then just set "Browse = Reporter, Role:Developers".  You don't need security schemes to do that any more (You used to, or you could use the better option of "reporter browse", but "Browse: Reporter" has been fixed to meet expectations in later versions of Jira)

Hi Nic Brough [Adaptavist],
thanks for your quick answer. I got to the point where I set up the security levels, but don't know exactly how that works on the issues itself. At the moment, when I create (administrator role, that has permission to  Set Issue Security) an issue I don't see this security level field, however on the screen configured for my project, it is on the field tab. How does that work?
Thanks again,
Balázs

The create, edit, view and transition screens are separate entities (although they can be shared).  It sounds like you have everything right for "edit" ("level" field on screen, set scurity permission), but it's not on the Create screen.

Go to the project settings and drill down through the "issue type screen scheme" until you land on "create"

Like Riptide Helpdesk likes this

Hi Nic,

I'm finally ready with the full set-up. The only missing point was that I forgot to attach the security level scheme to the project itself. I've created it, everything was ready, but this little step was missing :)
I'm now in full control, migrated the old tickets to have the necessary security level value, created a separate board for the customer and also restricted its right only to that board.
Once again, thank you very much for you support and help.

Kind regards,
Balázs

Hi @Balázs Bogda,

 

Yes, the issue-level security can work fine, you can find all the information about the issue security level here: 

https://confluence.atlassian.com/adminjiraserver/configuring-issue-level-security-938847117.html

 

Regards,

Adrián.

Hi @Adrián Plaza,
I've seen that documentation and I'm here for the missing part ;-)
Thx, Balázs

Hi @Test,

 

The Security Level field has been hidden on purpose, please see the limitations of doing so in Hiding or showing a field.

You need to enable/show the field in the field scheme, you can finde more information here: https://confluence.atlassian.com/adminjiraserver073/specifying-field-behavior-861253403.html#SpecifyingFieldBehavior-Hidingorshowingafield

 

Regards,
Adrián.

Like Dmitry Zorin likes this

Hi Andrián,

On my default screen schemes this field was not hidden. I had some difficulties with the set-up itself, but now it has been solved. Thanks for your comments and shared links.

Kind regards,
Balázs

This is for all the issue types in one project, correct?  Are we able to limit the security to just one issue type?

Hi everyone,

Sorry for commenting on an old post but I have a couple of questions in regards to how the Issue Security is configured

1) Does the browse project permission override the issue security?

2) Are people with global administrator rights able to bypass issue security?

 

Thanks & regards,

No problem - your follow-up question is still relevant to the topic.

1) No.  It is more the other way around.  The "browse project" permission tells us who can see all the issues in a project.  Issue security then limits who can see individuals issues (no security level = everyone who has browse project.  Security level set = only the people in that security level)

2) Indirectly, they can.  There's no way for a global admin to see an issue with a security level set to exclude them.  For example, if "top secret" level says "only people in group X can see these issues", then an admin who is not in group X will not see the issue.  There's no way for them to find it, it is completely hidden from them.  But, as global admins, they could see, and then change or remove the security scheme, or put themselves into group X.

Like # people like this

Hi @Nic Brough _Adaptavist_ ,

 

Apologies for the delayed response. Thank you for your comment explaining the hierarchy. I was able to get the desired setup.

One follow up, is it possible to add the watcher of a ticket to the governing issue security level?

 

Thanks!

Yes, but if you want to do it automatically, you will need to code for it.

Hi @Nic Brough _Adaptavist_ ,

 

Thank you for your reply. Is there any documentation/ reference available to help start in the right direction with the coding?

 

Thanks!

Depends on how you want to implement this code.  Do you want to write an app for yourself or are you thinking to use something like ScriptRunner?

Id prefer to do it with ScripRunner.

Like Christos Moysiadis likes this

Suggest an answer

Log in or Sign up to answer
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you