It's a little more complex than that. You need to look at two things.
First, there is the "permission scheme". This is a set of rules that says who in your system can do what with a project. It does not usually refer directly to individuals or groups (it can, but we strongly recommend that you do not do that). It usually refers to jira-roles and dynamic roles.
So, if you have a look at the default permission scheme you will find it says things like "Browse: role users", "Log work: role developers" and quite often people will do things with dynamic roles like "Log work: assignee" (which allows the current assignee to log work while it is assigned to them).
The second part of it is to understand the roles. These are collections of people in the project, either individuals or groups. You have to look at the project to see this, and yes, this is where a project administrators (often, but not always the "owner") can add and remove users and groups on the project
In the default permission scheme, you have a rule "Browse: role users". By default when you create a project, JIRA will drop a group like "jira users" into the role of "users". The jira users group is usually "everyone who can log in", so the default is to let everyone into the project.
I usually recommend at least changing the default add of any groups into roles (under admin -> groups) so that no-one is added automatically. Then I usually set the permission scheme so that the "project lead" has "project administration" and then let them choose who they want to add to users, developers and other roles.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.