I want to allow only certain groups to Create issues in JIRA

I restricted all users except two groups who can create new issues but Create Issues shows up for all users and when they create a new Issue JIRA automatically assign a number and put in the database but does not allow that group to submit it. The message is displayed that you are not allowed to submit new issues.

I want to restrict it completely so JIRA does not assign a number for those issues. How I can do that?

2 answers

1 accepted

Accepted Answer
1 vote

How are you "restricting all users"? That sounds utterly wrong to me because if you've done it the correct way, with the permission schemes, your users simply would not see "create new issue" for the project(s) they're blocked from, and they certainly wouldn't "get a number"

See https://confluence.atlassian.com/display/JIRA/Managing+Project+Permissions

Yes I am doing through permission scheme. I specified which two groups can create a new issues. But all other Groups can do their function as well like tranisitioning to other steps. When other Groups log on, they see the Create butoon on Dashboard and they can create the issue but when they submit they get an error message that they don't have permission but a record is created and put in the database

That does not make any sense to me. If you have got the permissions set correctly, then your users will not be able to start issue creation. It sounds like you've set it up so everyone can still create issues, and then you're blocking creation some other way.

As for performing other transitions - check the workflow for "condtions".

Could you post the line in the permission scheme that says "create issue" - show us what you have on the right - the list of groups and roles that have create permission.

Here is my permission scheme to Create Issues:

Create Issues
Ability to create issues.
  • Project Role (R2V Assigned Engineer) (Delete)
  • Group (jira-administrators) (Delete)
  • Group (R2V-Assigned-Engineer) (Delete)
  • Project Role (R2V CM) (Delete)

Here is my permission to Assign Issues:

Assign Issues
Ability to assign issues to other people.
  • Project Role (R2V Assigned Engineer) (Delete)
  • Project Role (R2V CM) (Delete)
  • Project Role (R2V Engineering Supervisor) (Delete)
  • Project Role (R2V Manufacturing Engineer) (Delete)
  • Project Role (R2V Program Manager) (Delete)
  • Project Role (R2V Quality Engineer) (Delete)
  • Project Role (R2V Reliability Engineer) (Delete)
  • Project Role (R2V Software Librarian) (Delete)
  • Project Role (R2V Test Engineer) (Delete)
  • Group (R2V-Users) (Delete

Here is my workflow:

<th>
Open (1) Open Open Submit (281)
>> Submit
Submit (2) R2V Accepted R2V Accepted Accept (21)
>> R2V_ES
Reject (71)
>> Open
R2V_ES (3) R2V ES R2V ES RE (81)
>> R2V_RE
ME (91)
>> R2V_ME
QE (101)
>> R2V_QE
PM (111)
>> R2V_PM
Reject (121)
>> Open
R2V_RE (4) R2V RE R2V RE ME (131)
>> R2V_ME
QE (141)
>> R2V_QE
PM (151)
>> R2V_PM
Reject (161)
>> Open
R2V_ME (5) R2V ME R2V ME QE (171)
>> R2V_QE
PM (181)
>> R2V_PM
Reject (191)
>> Open
R2V_QE (6) R2V QE R2V QE PM (201)
>> R2V_PM
Reject (211)
>> Open
R2V_PM (7) R2V PM R2V PM Accept (221)
>> R2V_SL
Reject (231)
>> Open
R2V_SL (8) R2V Resolved R2V Resolved Reject (251)
>> Open
Accept (271)
>> R2V_CM
R2V_CM (9) R2V CM R2V CM Closed (261)
>> R2V_Closed
R2V_Closed (10) R2V Closed R2V Closed

The accoount I am using to create a new issue is R2V Test Engineer.

The problem I see is my workflow does not start with Creating an Issue so it does not check any restrictions I think when issue is created. What do you think about it? Does it make sense? How I can restrict the creation of new issue through the workflow? When Create button is clicked it did bring the Create Issue Screen to the user who completes the form. Then when Submit tranisition take place it checks the permission and refuse it but the record is already created prior to that.

Ok, that's good. There's three separate things here.

First, on with the debugging for create. You've limited create issue to four sets of people. Two are simple groups, the other two are roles. Pick a single user who should NOT be able to create an issue and look at how that user is used. Check that they are NOT in either group, then check that they are not nominated in either of the roles mentioned, and then check if they are in any groups that are in any roles.

Second, you need to look at each transition in your workflow. Look at the "conditions". These will explain why users can perform transitions (if there are no conditions on a transition, then anyone can do it)

Third, let's step back from your guesses about creation and workflows. The create transition IS part of the workflow. You can find it by clicking the "open" step on your workflow and looking for a transition into it - you will find "create" there. However, the permission to create an issue is NOT done in the workflow, it happens before, in the permissions.

The fact you can get to a create screen, but not complete the creation tells me that your users DO have create permission in the project, but then something else is blocking it later. Probably a validator or a fault in a post-function. You can check those if you open the transition link I mentioned above.

I want to thank you for your help but it is still the same. I took your advice and created a brand new user just to try out and as you mentioned that user does not belong to R2V Assigned Engineer and R2V CM. Also she does not belong to either of those roles.

I looked at the "Open" step and looked at the "Create" transition. First of all it does not "Conditions", it has only "Validators" and "Post Functions". I added a validator restrict users with only create permission can execute this step but it did not do anything.

I guess my permission scheme somehow is not working? What could go wrong in there? How the permission scheme takes effect on a project?

Create new issue works perfectly but only thing it does not restrict people I want to restrict on. The part does not work on my "Submit" tranisition, I restrict people with only Create permission condition and which take effect when he/she submit and goes for that transition it gives an error message.

Why there is no "Condition" exists on "Create" transition that is hidden?

>Also she does not belong to either of those roles.

Ok, you checked groups and roles, but you have not said if you have checked the GROUPS in the ROLES. To clarify all of this, could you go into the project and look at the users section. Tell us what all three columns say in there (obviously, obscure names of individuals if you've got security worries). I'd also like to see the full list of groups your user belongs to.

>I looked at the "Open" step and looked at the "Create" transition. First of all it does not "Conditions", it has only "Validators" and "Post Functions".

Yes, that's what I was pointing you to - the whole point is that Create does NOT have conditions. The right to create issues is controlled by the create-issue-permission.

ALL the other transitions allow conditions, and that seems to be what you are missing - you need conditions like "user must be in role X" to prevent these other transitions from being done

>I added a validator restrict users with only create permission can execute this step but it did not do anything.

This is actually what could be causing the problems you are seeing after a user starts creating the issue. Your permission scheme is broken for some reason, so they can get in, but then this validator would block them when they submit.

If we can get your permissions right, then you won't need to worry about the second part at all, Jira will work as designed.

<th width="25%">
Uncategorized Projects
Launcher Development Program Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off On (jira-users)
Software Release to Vault (R2V) Off Off Off Off On (jira-users) Off On (jira-users) On (jira-users) On (jira-users) On (jira-users) On (jira-users) On (jira-users) On (jira-users) Off On (R2V-Test Engineer, jira-users) Off On (jira-users)

I did not get the part you are talking about Groups in the role. I have almost one to one correspondence between groups and roles. Is there a way I can call you? Are you in the USA?

I deleted the Project Roles from creating a new Issue and thats took care of my problem. So I have to find out more about project rolse works and use that.

Thank you very much for your help.

I think you found it then - the problem seems to be that although your permission scheme is fine for individual users, you had not accounted for putting groups into roles as well.

The idea there is that groups are global. As a user, I belong to groups A, B and C. You can use groups directly in a permission scheme (so, if you say "group A can create", then I get create rights). You can then put users into a project, if the permission scheme says so. Let's say scheme says "people in the role of "Penguin" can create issues". I would get create rights as soon as you added me to the role of "Penguin". The missing part, if I have read correctly, is that you put "group C" into the role of "Penguin" as well. As I'm in group C, I get the role of Penguin, and can hence create issues...

This issue is closed now.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Tuesday in Jira

Looking for anyone who made the switch to Data Center

The Jira Marketing team is putting together an ebook on migrating to Data Center. We're looking for pro tips on how you staffed your project team and organized your Proof of Concept. Share yo...

44 views 0 2
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you