Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

JIRA Software project permission - restrict user access to one project

Nathan Zylbersztejn
Nathan Zylbersztejn April 20, 2018

I know there are questions already answered but I can't get it to work.

I want to grant an external user access to a specific project, without having to change permissions for all other projects.

I created a new group, added this user to this specific group and removed it from the "jira-users-group", and added this user to the project.

But when I log in as this user, I can't access any project.

What can I do from there?

Answer
Watch
Like # people like this
7083 views

6 answers

1 accepted

6 votes
Answer accepted
Claudiu Lionte
Claudiu Lionte
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 18, 2018

Hi Nathan,

Let's assume that you want to give Bob access only to project ABCD and nothing else. I'm afraid there's no simple way to do this without changing the permissions for other projects as well.

Please find below the step-by-step guide. Mainly you will have to create 2 new groups, let's say Internal and External. Add Bob only to the group External and every other user to the group Internal. Then create a new permission scheme that grants permissions to both groups, and modify the Default Software Scheme to remove access given to Any logged in User and provide access only to Internal group. The procedure might seem long, but this is because I have described every step in great detail. The whole thing should take about 30 minutes.

Part 1: Create the 2 groups:

  1. In the bottom left corner of your Jira site, click on the hamburger icon ( ☰ ), then Site Administration  Groups
  2. On the top-right corner, locate and click on Create Group. Name it Internal and add a description. This will be the group where you will have to put all the other users, except for Bob.
  3. Repeat the operation and create the External Group.

Part 2: Give application access to the group External:

  1. On the left-hand side bar, click on Product Access then click on View Configuration at the top-right corner
  2. Under the Jira Software section, click on Add Group and then add the group External

Part 3: Assign all the other users to the group Internal and assign Bob's user to the group External:

  1. On the left-hand side bar, click on Users then click on one user name.
  2. On the right side, locate and click on Add groups.
  3. Type Internal, click on the resulted group and then click Add Group
  4. Repeat this for all the users except for Bob.
  5. Click on the user Bob, and using the same steps as above, add this user to the group External. Remove any other group that this user is part of.

Part 4: Modify the current permission scheme to remove access for any logged-in user and replace that with the group Internal.

  1. Navigate to your Jira's homepage, then click on Settings  Issues  Permission Schemes
  2. Locate the Default Software Scheme and click on Permissions
  3. Look at each permission and locate the ones that include Any logged in user. For each permission that has Any logged in user, do the following:
    1. Click on Remove, tick the box for Application access: Any logged in user and click Remove
    2. At the same permission, click on Edit, tick the box for Group, type Internal and click on the result and then click Grant

Part 5: Create a new permission scheme based on the default one, modify it to include access for group External and assign it to the project ABCD:

  1. Navigate to your Jira's homepage, then click on Settings  Issues  Permission Schemes
  2. Locate the Default Software Scheme and click on Copy
  3. Notice that a new permission scheme called Copy of Default software scheme has been created. Click on Permissions on its right-hand side.
  4. For each permission, click on Edit on the right-hand side, then add the group External

Part 6: Assign the new permission scheme to the project ABCD:

  1. Navigate to the project ABCD, then click on Settings → Permissions
  2. In the top-right corner, locate and click on Actions  Use a different scheme. Choose the new permission scheme (Copy of Default software scheme) and click Associate.

That's it.

View More Comments
Bob_Gifford
Bob_Gifford August 19, 2018

thanks. there is no way I would have figured that out myself. 

A few changes:

- in part 4 section 3, do the grant of the group internal before removing the any logged in user.  it is easier to see where you are in the long list.

- in part 5,section 4 the group is external, not abcd, and it is easier to say add the group to where ever you see the internal group

And, there should be an easier way than to spend lots of time doing all theses steps.

Like Michelangelo Bottura likes this
Johnson Wang
Johnson Wang August 23, 2018

Whoa @Claudiu Lionte this is exactly what I was looking for! I'm sure many others would appreciate the time and attention to detail you put into this step-by-step guide. Thank you so much for doing that. 

It'd be great if your steps were just added to the JIRA official documentation. I know there are lots of repeat questions with the same ask (I just submitted one a few days ago...and only found your answer now).

Like
Johnson Wang
Johnson Wang August 23, 2018

@Nathan Zylbersztejn Did you get the project restrictions to work like you needed? If so, it'd be great for you to "Accept" Claudiu's answer so that it'll be ranked higher in future related searches 👍🏼

Like
Johnson Wang
Johnson Wang August 23, 2018

@Claudiu Lionte Quick question: Is there a reason why you're shying away from granting the Browse Projects permission to Roles, instead of the 2 specific groups?

I imagine that'd make future project admin easier too, but curious to hear your thoughts.

Like
Claudiu Lionte
Claudiu Lionte
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 27, 2018

Hi @Johnson Wang,

There is no technical reason for me to recommend groups over project roles. In fact, it is, indeed, best-practice to use project roles instead of user groups.

The reason why I created this procedure using groups instead of roles is simplicity, as project roles will add a separate level of complexity and, especially for admins new to Jira, might create more confusion. 

 

@Bob_Gifford Thank you, I will edit my answer to correct the small mistakes that you spotted.

Like
Manoj Upreti
Manoj Upreti September 1, 2018

Very helpful. Thanks for posting this answer.

Like
Manthan
Manthan November 30, 2018

@Claudiu Lionte Umm.. I think i still have an issue.. Still external user can see all my other projects, any help would be appreciated on this please? 

Like
Joe Pitt
Joe Pitt
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
November 30, 2018

They are being allowed in with the permission scheme. You need to look at the permission schemes to see if they belong to ANY group that is getting permission. As I I and others have stated, by default JIRA puts the jira-users group access (depending on release the group may have a different name). The best way to control access is to remove ALL groups from the permission scheme and use project roles. The project admin controls membership in the roles so there won't be any surprises in accessing the project. By using roles you can have one permission scheme for all projects. 

Like
Manthan
Manthan November 30, 2018

 

Thanks @Joe Pitt & @Claudiu Lionte, probably I will try again to follow all steps, not sure where I am making mistakes. but anyway this was very useful. I will try again and see where I missed..

Like
Reply
0 votes
Pradeep Verma
Pradeep Verma September 21, 2020

Thanks for the support. It helped me a lot but it is not 100% correct.

Part 5, Section 4 should be done only for specific access only otherwise client will get access to every feature in your project.

Reply
0 votes
Claudiu Lionte
Claudiu Lionte
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 6, 2019

I have written a separate article on how to give a user permission to only one project:

https://community.atlassian.com/t5/New-to-Jira-articles/How-to-give-a-user-read-only-access-to-a-single-project-and/ba-p/1010143

This new approach uses project roles instead of groups and is considered best-practice (as Johnson noticed). It is just a bit more difficult to implement initially, but it has the advantage that it scales well and once implemented you can easily add another person to a separate project. 

The most common scenario for this is when you want to give access to your customers to their projects, and one customer must only see their own project.

View More Comments
Hung Nguyen
Hung Nguyen March 6, 2019

Doesn't this require any change to Application level group permission (by default include only jira-users) ?

I asked that because even after I add a (external) user to client group, he/she still has to be in jira-users, hence by default will see all existing projects that have jira-users in the User role (which is included by default)

Like
Reply
0 votes
Hung Nguyen
Hung Nguyen October 22, 2018

The instruction is really helpful. Thanks for doing that. I still have some questions:

1- Why do we have to create Internal group? Can't we just use jira-users as Internal group, take Bob out of this group, and add him to External group, does it suffice? 

2- If we give External group access to JIRA App, but in the project that we want Bob to access, we just grant Bob's account directly into the special permission scheme for that project, I guess that it still works (even though I know it's a maintenance issue to track individual accounts in the permission scheme, but technically it should work). Is that correct?

View More Comments
Joe Pitt
Joe Pitt
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
October 22, 2018

The basic problem with using the jira-users group in any permission scheme is it is ever changing. Whenever a user gets an id they are automatically added to all groups that have logon rights. The best way to get control over who can access what is to use project roles. It gives the best granularity and allows project admins to allow only those users to have access that should. It is the standard best practice security model. Since all project roles are universal and appear in all projects one permission scheme can be used across all projects. 

Like
Hung Nguyen
Hung Nguyen October 22, 2018

Hi Joe, You are totally right with the project roles argument here. So no question about it.

The question #1 here is just for Part 1 of the instruction above, to understand better the need to replace default jira-users (where all users are in) by Internal group. I hope that I don't need to create Internal group, and just use jira-users for all users except Bob. It will simplify the changes we need to make to all the permission schemes which used jira-users group before.

Like
Joe Pitt
Joe Pitt
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
October 22, 2018

You don't want to create an internal group. You want to stop using groups in permission schemes and convert to project roles.  You can add the project roles and convert over a period of weeks project by project. JIRA admins need to administer groups. Project admins add/delete users from project roles. 

Like
Hung Nguyen
Hung Nguyen October 22, 2018

You are right again. Sorry, for the confusion.

I don't use group in permission schemes, but I have to grant jira-users group the Users Project role (and/or other roles) for every project in the Project configurations, (not in the permission scheme). 

Let me rephrase my question by rewriting the instruction above by a simpler steps here and hope that someone would tell me if it still works, or not:

Part 1: Create the 1 new group called External:

  1. In the bottom left corner of your Jira site, click on the hamburger icon ( ☰ ), then Site Administration  Groups
  2. On the top-right corner, locate and click on Create Group. Name it External and add a description. This will be the group where you will have to put restricted users like Bob.

Part 2: Give application access to the group External:

  1. On the left-hand side bar, click on Product Access then click on View Configuration at the top-right corner
  2. Under the Jira Software section, click on Add Group and then add the group External

Part 3: Assign Bob's user to the group External:, and take Bob out of jira-users group

  1. On the left-hand side bar, click on Users then find Bob's user account
  2. Click on the user Bob, add this user to the group External. And remove Bob out of jira-users group.

Part 4: Add Bob to the appropriate Project Roles of the only project, AAA, which he needs access

  1. Navigate to your Jira's homepage, then click on Settings  Projects
  2. Click on the project AAA
  3. Locate and click on the Users and roles on the left side bar 
  4. Click on Add users to a role on the top-right corner, then add Bob to the appropriate roles there

Assuming that all the projects are currently working as expected prior to Part 1. Then can I use the instruction above to just give Bob access?

And if there additional users like Bob in the future, I can just following Part 3 and Part 4 for them. Does it work?

Like
Hung Nguyen
Hung Nguyen October 22, 2018

I think I missed the first step to ensure NO permission scheme allow 'any logged in user'. This must be made, before my steps above hold:

Part 0: Modify the current permission scheme to remove access for any logged-in user and replace that with the group jira-users.

  1. Navigate to your Jira's homepage, then click on Settings  Issues  Permission Schemes
  2. Locate the Default Software Scheme and click on Permissions
  3. Look at each permission and locate the ones that include Any logged in user. For each permission that has Any logged in user, do the following:
    1. Click on Remove, tick the box for Application access: Any logged in user and click Remove
    2. At the same permission, click on Edit, tick the box for Group, type jira-users and click on the result and then click Grant
Like
Joe Pitt
Joe Pitt
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
October 23, 2018

I think the cloud is setup a differently than the server version. The jira-users group contains all the users so by granting it access you grant everyone access. The point I'm trying to make is to stop using any group allowing login access from permission schemes. The cloud may work differently, but any time a user is added they are automatically added to all groups, except admin, that allows login access. Almost anyone using groups in permission schemes will eventually have a problem restricting access. 

Like
Reply
0 votes
Joe Pitt
Joe Pitt
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
April 21, 2018

JIRA works by GRANTING access. You can't restrict access. By default it grants access to the group used to logon (used to be jira-users but may be different on your version).  This is probably where you're getting the access from.

The FIRST thing you need to do to get control is to remove any groups with logon privileges from the permission scheme unless you absolutely want everyone to have that permission.  Then I suggest you setup user roles for the various functions like, tester, QA, Browse Only, etc. Then you can create one permission scheme to cover almost all projects. The project admin controls which users are put in the roles.  This may be a big effort, but it will payoff down the road by making it easy to control access. 

Reply
0 votes
Mikael Sandberg
Mikael Sandberg
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
April 20, 2018

You need to configure the permission scheme for the project you want the user to access. Take a look at Permissions overview, it explains how the different permissions and how a user is assigned to them.

View More Comments
Nathan Zylbersztejn
Nathan Zylbersztejn April 21, 2018

Thank you Mikael. The link explains concepts but not how to do the simple thing i need.

I created a new permission scheme, added this project to the permissions scheme and removed it from the default one. Created a group,  add an external user to this group, and added browse and manage project permissions for that group to the scheme

When I log in as this user, I can see all projects but the one he's supposed to have access to... What am I missing?

Like
mschonarthatlassian
mschonarthatlassian
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 24, 2018

Ni Nathan,

If you need more help on this, I've created a new KB with a step-by-step in the New Interface of Jira Cloud to better illustrate them, so I'd recommend you to check it out!

How to restrict project access for Teams in Jira Cloud

Please, let me know what you think!

Cheers

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events