I want to allow only certain groups to Create issues in JIRA

Sukanta Datta April 1, 2013

I restricted all users except two groups who can create new issues but Create Issues shows up for all users and when they create a new Issue JIRA automatically assign a number and put in the database but does not allow that group to submit it. The message is displayed that you are not allowed to submit new issues.

I want to restrict it completely so JIRA does not assign a number for those issues. How I can do that?

2 answers

1 accepted

2 votes
Answer accepted
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
April 2, 2013

How are you "restricting all users"? That sounds utterly wrong to me because if you've done it the correct way, with the permission schemes, your users simply would not see "create new issue" for the project(s) they're blocked from, and they certainly wouldn't "get a number"

See https://confluence.atlassian.com/display/JIRA/Managing+Project+Permissions

Sukanta Datta April 2, 2013

Yes I am doing through permission scheme. I specified which two groups can create a new issues. But all other Groups can do their function as well like tranisitioning to other steps. When other Groups log on, they see the Create butoon on Dashboard and they can create the issue but when they submit they get an error message that they don't have permission but a record is created and put in the database

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
April 2, 2013

That does not make any sense to me. If you have got the permissions set correctly, then your users will not be able to start issue creation. It sounds like you've set it up so everyone can still create issues, and then you're blocking creation some other way.

As for performing other transitions - check the workflow for "condtions".

Could you post the line in the permission scheme that says "create issue" - show us what you have on the right - the list of groups and roles that have create permission.

Sukanta Datta April 2, 2013

Here is my permission scheme to Create Issues:

Create Issues
Ability to create issues.
  • Project Role (R2V Assigned Engineer) (Delete)
  • Group (jira-administrators) (Delete)
  • Group (R2V-Assigned-Engineer) (Delete)
  • Project Role (R2V CM) (Delete)

Here is my permission to Assign Issues:

Assign Issues
Ability to assign issues to other people.
  • Project Role (R2V Assigned Engineer) (Delete)
  • Project Role (R2V CM) (Delete)
  • Project Role (R2V Engineering Supervisor) (Delete)
  • Project Role (R2V Manufacturing Engineer) (Delete)
  • Project Role (R2V Program Manager) (Delete)
  • Project Role (R2V Quality Engineer) (Delete)
  • Project Role (R2V Reliability Engineer) (Delete)
  • Project Role (R2V Software Librarian) (Delete)
  • Project Role (R2V Test Engineer) (Delete)
  • Group (R2V-Users) (Delete

Here is my workflow:

<th>
Open (1) Open Open Submit (281)
>> Submit
Submit (2) R2V Accepted R2V Accepted Accept (21)
>> R2V_ES
Reject (71)
>> Open
R2V_ES (3) R2V ES R2V ES RE (81)
>> R2V_RE
ME (91)
>> R2V_ME
QE (101)
>> R2V_QE
PM (111)
>> R2V_PM
Reject (121)
>> Open
R2V_RE (4) R2V RE R2V RE ME (131)
>> R2V_ME
QE (141)
>> R2V_QE
PM (151)
>> R2V_PM
Reject (161)
>> Open
R2V_ME (5) R2V ME R2V ME QE (171)
>> R2V_QE
PM (181)
>> R2V_PM
Reject (191)
>> Open
R2V_QE (6) R2V QE R2V QE PM (201)
>> R2V_PM
Reject (211)
>> Open
R2V_PM (7) R2V PM R2V PM Accept (221)
>> R2V_SL
Reject (231)
>> Open
R2V_SL (8) R2V Resolved R2V Resolved Reject (251)
>> Open
Accept (271)
>> R2V_CM
R2V_CM (9) R2V CM R2V CM Closed (261)
>> R2V_Closed
R2V_Closed (10) R2V Closed R2V Closed

The accoount I am using to create a new issue is R2V Test Engineer.

Sukanta Datta April 2, 2013

The problem I see is my workflow does not start with Creating an Issue so it does not check any restrictions I think when issue is created. What do you think about it? Does it make sense? How I can restrict the creation of new issue through the workflow? When Create button is clicked it did bring the Create Issue Screen to the user who completes the form. Then when Submit tranisition take place it checks the permission and refuse it but the record is already created prior to that.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
April 2, 2013

Ok, that's good. There's three separate things here.

First, on with the debugging for create. You've limited create issue to four sets of people. Two are simple groups, the other two are roles. Pick a single user who should NOT be able to create an issue and look at how that user is used. Check that they are NOT in either group, then check that they are not nominated in either of the roles mentioned, and then check if they are in any groups that are in any roles.

Second, you need to look at each transition in your workflow. Look at the "conditions". These will explain why users can perform transitions (if there are no conditions on a transition, then anyone can do it)

Third, let's step back from your guesses about creation and workflows. The create transition IS part of the workflow. You can find it by clicking the "open" step on your workflow and looking for a transition into it - you will find "create" there. However, the permission to create an issue is NOT done in the workflow, it happens before, in the permissions.

The fact you can get to a create screen, but not complete the creation tells me that your users DO have create permission in the project, but then something else is blocking it later. Probably a validator or a fault in a post-function. You can check those if you open the transition link I mentioned above.

Sukanta Datta April 2, 2013

I want to thank you for your help but it is still the same. I took your advice and created a brand new user just to try out and as you mentioned that user does not belong to R2V Assigned Engineer and R2V CM. Also she does not belong to either of those roles.

I looked at the "Open" step and looked at the "Create" transition. First of all it does not "Conditions", it has only "Validators" and "Post Functions". I added a validator restrict users with only create permission can execute this step but it did not do anything.

I guess my permission scheme somehow is not working? What could go wrong in there? How the permission scheme takes effect on a project?

Create new issue works perfectly but only thing it does not restrict people I want to restrict on. The part does not work on my "Submit" tranisition, I restrict people with only Create permission condition and which take effect when he/she submit and goes for that transition it gives an error message.

Why there is no "Condition" exists on "Create" transition that is hidden?

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
April 2, 2013

>Also she does not belong to either of those roles.

Ok, you checked groups and roles, but you have not said if you have checked the GROUPS in the ROLES. To clarify all of this, could you go into the project and look at the users section. Tell us what all three columns say in there (obviously, obscure names of individuals if you've got security worries). I'd also like to see the full list of groups your user belongs to.

>I looked at the "Open" step and looked at the "Create" transition. First of all it does not "Conditions", it has only "Validators" and "Post Functions".

Yes, that's what I was pointing you to - the whole point is that Create does NOT have conditions. The right to create issues is controlled by the create-issue-permission.

ALL the other transitions allow conditions, and that seems to be what you are missing - you need conditions like "user must be in role X" to prevent these other transitions from being done

>I added a validator restrict users with only create permission can execute this step but it did not do anything.

This is actually what could be causing the problems you are seeing after a user starts creating the issue. Your permission scheme is broken for some reason, so they can get in, but then this validator would block them when they submit.

If we can get your permissions right, then you won't need to worry about the second part at all, Jira will work as designed.

Sukanta Datta April 2, 2013
<th width="25%">
Uncategorized Projects
Launcher Development Program Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off Off On (jira-users)
Software Release to Vault (R2V) Off Off Off Off On (jira-users) Off On (jira-users) On (jira-users) On (jira-users) On (jira-users) On (jira-users) On (jira-users) On (jira-users) Off On (R2V-Test Engineer, jira-users) Off On (jira-users)

I did not get the part you are talking about Groups in the role. I have almost one to one correspondence between groups and roles. Is there a way I can call you? Are you in the USA?

Sukanta Datta April 2, 2013

I deleted the Project Roles from creating a new Issue and thats took care of my problem. So I have to find out more about project rolse works and use that.

Thank you very much for your help.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
April 2, 2013

I think you found it then - the problem seems to be that although your permission scheme is fine for individual users, you had not accounted for putting groups into roles as well.

The idea there is that groups are global. As a user, I belong to groups A, B and C. You can use groups directly in a permission scheme (so, if you say "group A can create", then I get create rights). You can then put users into a project, if the permission scheme says so. Let's say scheme says "people in the role of "Penguin" can create issues". I would get create rights as soon as you added me to the role of "Penguin". The missing part, if I have read correctly, is that you put "group C" into the role of "Penguin" as well. As I'm in group C, I get the role of Penguin, and can hence create issues...

0 votes
Sukanta Datta April 7, 2013

This issue is closed now.

Suggest an answer

Log in or Sign up to answer