How to grant a user access that they can only view one project?

Hi All,

For the life of me this is driving me nuts. I am trying to give specific users an access so they can only view one project instead of all the ones we have. I have tried all different solutions that was posted but none of them worked. I don't know why something like this is so difficult and frustrating when it is one of the features that people use a lot. Please can someone list step by step instructions as to how to do this?

 

Thanks!

1 answer

Comments Closed
This widget could not be displayed.

It's because Atlassian distribute JIRA with an open default model that doesn't suit those of us who need to restrict projects.

By default, there's a group for "users who can log in".  jira-users.  It's named in the Global Permissions as that.  The default permission scheme then says "Browse project: role of users".  Those two are fine on their own, but the bit that's wrong is that they then include jira-users in the role of users by default.  So every new project is set up with jira-users able to see it. 

The best approach is to unpick that.  Go to admin -> roles and remove jira-users from the default membership.  Then, go over every project and remove jira-users from every "users" role (and, frankly, anywhere else it is used in projects) adding back only the users you want to see that project (via individuals or other groups)

Once that's done, new users will be able to log in, but see nothing until they're explicitly added to the project

Hmm...so that is the only way huh? No easier way?

Well, the other option is to create a new group called something like jira-login.  Add that to the "can log in" global permission, put all your currently active users in it, and then remove jira-users from the global permission.  Now you can restrict people by removing them from jira-users and then adding them to only the projects they should see.

It's doing the same thing really, but it's probably quicker than the first description.

Hi Nick, i also need urgently the answer to the same question.

However, the procedure is not clear to me. I lost you at "add that to the login global permission". What do you mean by that? And where do you find "can log in" in the global permission. i don't see it.

Tnx a lot in advance.

Kat

Hi Kat,

I was finally able to do this and hopefully can help you with my steps. So what I did basically was this.

  1. Create a group and include the users in that group that you want to have access to the project.
  2. Copy the default permission scheme and name it whatever you want.
  3. Remove all the permissions from the copied scheme that has Any Logged User under Granted To.
  4. Add the group that you created to Granted To where you removed Any logged user.
  5. Assigned the copied Permission Scheme to the project that you created.

Then you can do the same for another project by just copying the permission scheme that you already created and replace the group with the new group and assign the permission to the new project. Hope this helps! Let me know if you have any questions.

Hi Kat,

It's the "JIRA users" line in the global permissions, it says something like "these users can log into JIRA".

 

Hi David,

Thanks for the quick answer.

I did #1 and #2 and then stuck at #3. I don't see "Any Logged User" field and therefore cannot proceed.

This is what i see:

permissions.png

 

Am i in the correct screen?

This should be so easy and it is so frustrating.

Thanks a lot in advance!

Kat

You are in the right screen.

I'm not sure what David means by "any logged user" - JIRA doesn't have that.  I think what he's trying to say is to remove the use of any groups in the permission scheme that let people log into JIRA and have been re-used to allow them permissions as well. 

As discussed above, the default setup is for the group jira-users to be the "can log in" group.  That is set up in the "global permissions" admin setting.

Your permission scheme is actually perfectly fine as it is from what I can see.  It does not use groups other than the administration ones, which means

a) You can reuse the scheme in many projects and still have different user access

b) You can delegate the user access to the project owners

So, I would now go and look at the project - in the "roles" for the project, you will find a line for "users" and the "JIRA users" group is likely to be in it.  That's what you need to remove.  As it's saying "anyone with a login can see this project".  You need to replace it with a smaller set of users - those who should have access.

Then repeat this for all the projects making sure your "user who should only have access to one project" is only a user in that one project.

Hi Nic,

By smaller set of users you mean roles or groups? So let's say from the project  roles i have removed JIRA users, but now i need to add a new project role, right? Bcs when i removed the users (JIRA users), the only roles that left is admin and the developers (jira- developers) and the users that i want to put to the project are not developers, meaning i want  to put it under a new role (that i will define).. Am i on the right way?

Hope i will eventually set this properly:)

Tnx

Kat

Hi Kat,

Yes you are on the correct screen. I dont know why you dont see the Any logged user as it was there for me but that is not important now. All you have to do now is assign the group that you created to the permissions you want them to have for that project and then assign that scheme to that project. 

 

Hope it helps!

Hi David,

But it doesn't prevent them from seeing other projects. 

Please advise.

 

Tnx

Kat

Ok which group/user/role do you have under Granted To?

Hi David,

Please see below:

permissions.png

However, this is the copied default scheme.

Tnx

Kat


>By smaller set of users you mean roles or groups? 
Yes, you have got that absolutely right.  When you remove "JIRA users", that stops most/all people from seeing the project.  So you need to add back the users and/or groups into the roles to allow them to use the project.

For your new role, yes, add the role, then go to the projects and add users and groups to it.

Hi David,

> "I dont know why you dont see the Any logged user as it was there for me "

That sounds like you (or your other admins) have added a group called "Any logged user".  

Thank you Nick.

So what i did, I created a new role (on a global level) and added a group that i linked to the role.

However, it is not clear to me, how do i now add the role to the project. I do not see this option. I only see an option to add new users to the existing roles.

Please let me know

 

Tnx!

Kat

You've already done it from what you have said

> I created a new role (on a global level)

Ok, great.  A role is a global artefact that appears for all projects.  You don't need to "add" it anywhere.

>and added a group that i linked to the role.

There are two ways to add a group to a role - there's the default (which means "when I create a new project, put this group in the project role automatically), and the project user maintenance, under porject admin -> roles.  If your new role is not appearing in there, then you have not added it.

Hi Nick,

 

But i have added the group to the role, you can see in the below screen:

inner.png

So now i want to link the role to some projects and i simply don't have option for it..

project_roles.png

Your first screenshot is of the default membership of the role, as I mentioned earlier.

Your second screenshot is the project view of current members.  Try clicking "add users to role" in there and you'll get the edit version (slightly misleading as it also lets you remove people from roles, and work with groups)

Hi Nick,

I managed it.

I have added a new role with the group of the selected users to the specific project. (after removing the jira-user role).

Then i have logged in as a user that is not in the group of users that where added to the new role, and i expected that that user wouldn't be able to preview that project, however, this didn't happen. 

What did i do wrong? I did all what you suggested.

Please let me know.

Tnx

Kat

The new user is still in one or more groups that let them see the project.  Probably the "JIRA users" group which lets them log into the system as a whole.

Hi,

Yes, that user is in the JIRA users group, but i have removed that group for the project role, so how come he can still see it?

 

Tnx

Kat

What, exactly, does the permission scheme for the project say on the "browse project" line?

I didn't understand i needed a new permission scheme. Now i created it, removed the JIRA users from the browse project line, and finally, when logged in with the user that is not added to the group in the new role i don't see the project:)

My additional question is, if the JIRA user group though still exists in issues permission, attachment permission, comments permission in the new permission scheme, do i need to remove it also from there, or it is enough just to remove it from the browse project line?

Tnx

Kat

Ahh, good.

You should remove it really.  It's quite hard to comment or attach on something you can't see, but you can do it if you have the permissions.  An example might be that if you enable incoming email and someone who cannot see ABC-123 sends JIRA an email with a subject like "I can't see ABC-123", then that will be imported as a comment, despite the user not being able to see it!

Nick, thank you very much for you help!

Hi all, is this possible to do with the Atlassian Cloud version?  If it is the above is really useless.  I can't follow it and I doubt anyone else can either.  To repeat one of the comments above this should be easy and its not.  Is it dealt with simply anywhere else?

 

The problem is probably that the explanation explains what is going on as well as how to change it.

If you don't understand the underlying problem, then it's going to be very hard to fix it, especially if your requirements are not exactly the same as the situation a particular guide is written for.

So, yes, this is for Cloud, but I suggest you go back to the original answer and forget the comments.  Try to follow the outlined instructions there (lots of other people have, and it's worked for them)

This is the height of insanity. I wonder how many people just leave because of this one stupid simple operation that is more convoluted than I ever thought possible. I'd love to use JIRA but need a simple way to have users confined to specific projects. I've yet to see (after most of a complete day trying) a step by step on how to accomplish this. Even the first comment here 'go to admin-> roles' Admin where??? What a fucked up system

Atlassian Summit 2018

Meet the community IRL

Atlassian Summit is an excellent opportunity for in-person support, training, and networking.

Learn more
Community showcase
Posted 18 hours ago in New to Jira

Are you planning to trial, or are currently trialling Jira Software? - We want to talk to you!

Hello! I'm Rayen, a product manager at Atlassian. My team and I are working hard to improve the trial experience for Jira Software Cloud. We are interested in   talking to 20 people planning t...

45 views 1 0
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you