How many permission schemes do I need?

I am using jira and I want to set up 3 groups of users, Each group will have its own projects and will not be able to access the projects of the other groups. Otherwise, all users and groups will have the same permissions. Can I do this with 1 permission scheme, or do I need a permission scheme for each group?

2 answers

1 accepted

Typically one scheme is fine, you just have to make all granted permissions based on the project roles; from there, each project's roles will have different users.

If you make the privs group based directly, then you'll need an explicit scheme for each set of groups.

OK, I have added all 3 projects to the default permissions scheme. Now how do I limit the projects that each user can view? For example I have a user which is only in Group A that is only supposed to view Project A. When he logs in, he can view projects A, B and C. How do I limit Group A to Project A?

You probably don't want to use the default permission scheme, as it may not be appropriate for you to make changes to it. If the user in Group A can view all 3, that means the "Browse Project" permission is either open to the "jira-users" group (or some other widely open group), or else it's based on the "Users" role, and that role is open. I would copy the default priv scheme to something specific for your 3 projects, make certain no privs are group based, then check each project role to make sure it is restricted appropriately.

I have followed your suggestion and create a new permission scheme. Otherwise, I am still having problems getting this to work. This is my set up : All projects have been added to the same permission scheme. User A has been added to group A. Group A has been added to project A. User B has been added to group B. Group B has been added to project B. User C has been added to group C. Group C has been added to project C. When I login as user A, that user has access to to projects A B and C Each user is also in jira-users and no other group. What am I doing wrong?

"jira-users" typically has "browse project" privs through being in the "Users" role for a project... at least, using the default project roles and permission scheme. So you'd have to remove "jira-users" from that role, or remove that role from the browse permission. That's a guess, of course, I'd need to see the scheme and project roles to be certain.

My new permission scheme is a copy of the default permission scheme. I deleted jira-user from the browse project role and User A can still browse all projects. I don't understand how to remove the role from the browse permission. What is the difference between remove "jira-users" from the browse role and remove that role from the browse permission?

Step #1 is to remove "jira-users" from the "Browse Projects" privilege in the permission scheme; if the permission scheme includes "Group (jira-users)", that group has explicit access independent of the project roles. If it has "Project Role (Users)", then only users/groups in the project's role has access. So you make the browse privilege in the permission scheme "Project Role (Users)" (and nothing else), then you adjust the "Users" role for the project so that "jira-users" isn't in the role, just "Group A" is in the role.

New I have tried very hard to follow your instructions exactly. User A is in Group A. and in jira-users Group A has been added to project A. It is the only group in the project All projects are in my new permission scheme. Now user A cannot access any projects. What else do I need to do. ?

When you say "Group A has been added to project A", please be very specific? Ideally, you mean "Group A" is in Project A's "Users" role. Further, you need "Role (Users)" to be in the "Browse Projects" permission in the permission scheme.

Summary: User A needs to be in Group A. Group A needs to be in the project's "Users" role. The project's "Users" role needs to be in the permission scheme for "Browse Projects". That's it.

New summary that covers all of the discussion points. User A needs to be in Group A. Group A needs to be in the project's "Users" role, and "jira-users" needs to not be in the project's "Users" role. The project's "Users" role needs to be in the permission scheme for "Browse Projects", and "jira-users" needs to not be in the permission scheme for "Browse Projects".

Thanks Jeremy, This works like I want it to work. I knew if I could just find out how many permission schemes I needed it would eventually lead to the correct answer. Now when I add new users, I can simply add them to the correct groups and they will have access to the projects that can be accessed by those groups, with all the same permissions as everyone else in those groups.

You have to understand that the Permission Scheme can work with "Roles" on which you will have to define yourself too. So one Permission Scheme is fine. For example, in the "Browse" Permission (ability to view the project) put in a "Role" you want to have access to this permission. Then in the Project "Roles" section, add your desired "group" in that role.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Wednesday in Jira

Join our webinar: How 1B+ feature flag events helped us build the new Jira

Every time you release software, there's a bit of risk – that there's a bug, that something breaks, or that the feature doesn't resonate with customers. Feature flagging helps make high stakes s...

91 views 0 1
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you