Limit/Restrict User Browsing

Is it possible to limit user browsing so that a user only can see other users which are in the same group or in a configurable group/groups? We do not want to grant the "Browse Users" global permission so that every user can see every other user for @ mentioning. But without the "Browse Users" global permission the mentioning doesn't work

4 answers

1 accepted

Accepted Answer
0 votes

No, you can't limit the group visibility to "same as me"

Atlassian have not even tried to implement it.  It is a bit of a pain for certain cases, but there's massive logical problems with implementing it.  Off the top of my head:

  • The default in JIRA is to have a group for "user can log in".  All (active) users are in it.  So if you were to implement something to do that, everyone would be able to see everyone else because they can all log in.
  • If you split all the groups down, you make a massive group maintenance headache for yourself - you have to micromanage every single group, even to the point of adding a new user meaning you have to go in and remove them from all the default groups
  • You make it almost impossible to manage projects accurately (unless every project is strictly limited to a specific set of groups) because your user fields have two layers of logic in them.  For example, assignee = role X, and then "is in same group as me".  Then you start getting questions like "Why can Alice assign the issue to Bob, but I can't?  Even though I can assign it to Charlie?"
  • User permissions and group management is already a big performance drag on JIRA.  Limiting it more means more load and it's entirely conceivable that you'd cause more performance problems.

    I'm sure there's more.
0 votes
Joe Pitt Community Champion Apr 29, 2016

Sort of. You can apply security schemes to issues that limit access. You can setup a default security scheme. Check out https://confluence.atlassian.com/jira/configuring-issue-level-security-185729623.html to start.

It would make a lot of sense to move permission to "Browse users and groups" from the global scope to the project level.

As a project team member, I want to browse only people from my projects instead of the entire directory or users and groups.

I'm afraid that is a non-starter.  Working out "who is in my project" becomes exponentially difficult because of Jira's flexibility, and, quite often, people are using mentions because they want to draw in someone who is not "in the project".

I would like something that skips groups and uses its own rules.  I should be able to group users into silos and people can only see people in their silo.  With the option to make any silos globally available if necessary (e.g. everyone can see the support team silo, even when they're not a support person)

Jira does the "is user on project" check already when deciding to show or not the project in the dashboard and elsewhere.

No, it does not.

It checks if a user has view issue, and create issue.  Project "users" can be a lot more complex than that.  Those are relatively simple checks, optimised, nothing to do with other users, and are absolutely not "is user on project" checks.

Maybe I don't fully understand this, but when a user opens the dashboard, or the list of Projects, there is a check for what projects their see. Surely this trickles down to each project's People (and Groups) list. So it's not that crazy. 

But, again, I may be seeing things. 

No, it's not that simple.  It checks view access.  Which is NOT the same as "person in the project".

This is critical security breach! Why it is still not fixed??!

I don't think you understand what the problem is.  There's no security breach, just something that's painful to implement and not a lot of use to most people.

Are you saying that not many people need to restrict one project's information (including it's users) from other project users?

I believe it is a base requirement if you have more than one client.

Yes and no.

I'm saying that there is no need to restrict users, you should be talking about what you allow them to do.  And yes, it's complex and painful to do this by project.

If you're worried about users seeing each other, you currently have to turn off "browse users" as a global option.

Displaying information that belongs to other client to everybody it is huge security breach in JIRA.

And turning off Browse user will make Jira quite unusable - so this is not a valid option :-(

Actually, both of those are very minor points, especially in a tool that is explicitly built for collaboration.

If collaboration is justification for this defect then then why JIRA has roles and permissions??? ;-))) Let's collaborate everybody with everybody

What about NDAs and other information security restrictions that exist on the projects?

JIRA should allow for collaborators to see only what they are allowed to see.

I still don't think you've got it.  Jira does support that.  You're not looking at it right.

Please, go read the accepted answer again

It is a bit weird that even if you use custom permission scheme, and lets say give a specific group of external users (client) specific permission to Manage Watchers and View Voters and Watchers, they still can't do that because global permission says only our internal groups can browse users.

Like a bunch of others in the community, our clients must not see a list of all JIRA users, but they should be able to see/mention/add to watchers users who are specifically assigned to that project like how it works for Assign a user.

Sorry for reopening this, but I am desperately trying to find a solution, it still evades me.

I have the same issue. We have JIRA Core deployed and need to be able to restrict who can view/browse a project due to the sensitive nature of the work.

This thread is not about who can see projects, its about who can see the user lists.

Sorry, belted "send" too soon on that, and then went into a tunnel with no reception.  Here's what I should have said before posting:

 

Jira does not restrict, it only grants permissions at the project level (issue security is a different story).

In theory, this is really simple, because all you have to do is set the permissions so that "users matching a rule can see the issue".  That grants permission.  It is often by saying something simple like "users in the role of 'user' in the project can see it", and then putting the users (or groups) you want into that role in the project.

But.

Jira ships with some terrible defaults which automatically grant access to anyone with a login, and before you can use the simple, sane and reasonably intuitive rule above, you have to unpick these dreadful defaults, so that you can actually do it.

There's a good guide to it over at https://community.atlassian.com/t5/Jira-questions/JIRA-Software-project-permission-restrict-user-access-to-one/qaq-p/779572

Thanks Nic...sorry about posting in wrong topic thread. I will heck out the link.

No apology is needed on your side - I'm happy that you found a thread that looked related and you asked.  This conversation is messy and unclear (unintentionally of course), and it's better that you asked and got a pointer, than stayed quiet and got nothing.

On my side, an apology was the right thing - my accidentally shortened post was terse and grumpy-looking and gave no useful guidance.  It wasn't what I wanted to leave you with, and I'm hoping the correction was better!

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Sep 18, 2018 in Jira

What modern development practices are at the heart of how your team delivers software?

Hey Community mates! Claire here from the Software Product Marketing team. We all know software development changes rapidly, and it's often tough to keep up. But from our research, we've found the h...

24,293 views 2 7
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you