Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Project permissions

Thomas Capacci
Thomas Capacci April 14, 2019

Hi,

I want to create independent projects for different teams, so members of Software1's team cannot see project issues in Software2 team's project.

What is the best way to do so?

 

I have created my first test project but when I want to add people, I only have the option to grant them the administrator role.

Answer
Watch
Like Be the first to like this
461 views

2 answers

1 accepted

2 votes
Answer accepted
Joe Pitt
Joe Pitt
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
April 14, 2019

First, by default JIRA has a horrible permission scheme that violates security best practices by allowing everyone that can logon to do just about everything.

JIRA works by GRANTING access. You can't restrict access. By default, it grants access to the group used to logon (see Global permissions to see the "can use" groups and admin groups). This is where users are getting their access.

1. The FIRST thing you need to do to get control is to remove any groups with logon privileges from the permission scheme unless you absolutely want everyone to have that permission.
2. Then I suggest you setup Project Roles for the various functions like, tester, QA, Browse Only, etc.
3. By using project roles, one permission scheme will cover all projects. The project admin controls project role membership
4. If the project leads want everyone that can logon access to the project they can add the logon group to a project role with the desired permissions.

This may be a big effort, but it will pay off down the road by making it easy to control access.

Most of the 'old timers' use project roles. It meets the best practice for security and gives complete control to the project lead for access to their project. JIRA comes with many project roles, but you can add more if you have a special need.

View More Comments
Thomas Capacci
Thomas Capacci April 14, 2019

Thanks Joseph, 

Sounds tedious at first but as you said in the long run I guess I'll be glad to do it.

When I look at the scheme, there is the Default Permission Scheme and the Default software scheme.

I created to scrum projects and they all inherited the Default software scheme.

So would you advise to change both default software scheme to remove all the default permissions assigned to "Any logged in user", then use Project Roles to grant access in Projects permissions

 

OR

Create a new scheme for my projects?

Like
Joe Pitt
Joe Pitt
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
April 14, 2019

Get rid of the any logged in user from all permissions schemes. The is the 'root of all evil' when it comes to controlling who can see what. As I said once you start using project roles the project admin can control who can do what in their project. The added benefit is you only need one permission scheme. If you want to 'archive' a project simply remove everyone from all roles. 

I'm not familiar with software schemes. That may be a cloud setting. I've always used the server version

Like
Thomas Capacci
Thomas Capacci April 14, 2019

so this what I did for a test Project:

- created the project "IT Support"and set myself as project lead

- created a new permission scheme

- create a project role called IT Support Members

- Added the Project Role in my new permission scheme the permissions I want every member of the group to have

- Applied the permission scheme to my project

 

The thing in our case is that we will need to create a new permission scheme per project, as each project will generally be assigned to different teams (teams spread across different companies) so we really want access isolation between projects

Like
Joe Pitt
Joe Pitt
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
April 15, 2019

That is the beauty of project roles. The roles are universal, but not the membership. Unless you add default users to the project roles every project begins with a blank slate. The project admin adds the users they want to have the permissions. They can also add groups if that is how you want to group users. Project roles should be functionally generic. For instance I use Team Member as a project roles and in the permission scheme that role has browse, create, edit, add attachment, etc. needed to work in the project. Only users needing to work in the project are assigned the Team Member role. I have a role Management they they are only assigned the Browse permission. That would be for anyone needing to browse, but not perform any real work in the project. Depending on the size of your company the personal assistants of managers may be assigned that rolse so they can run reports.  If you need multiple permission schemes you aren't using project roles correctly. 

Like Thomas Capacci likes this
Thomas Capacci
Thomas Capacci April 15, 2019

 >If you need multiple permission schemes you aren't using project roles correctly. 

Sorry I am missing something...please be patient with me :)

how can I use the same permission scheme while I make sure that members of "Project role1" can edit "Project1" -only-  while members of "Project role2" can edit Project2 only

If I give the "Project role 1 and 2" edit rights (in the permission scheme), this permission scheme will be applied to both projects, so all members whether they are members of 1 or 2 will be able to edit.

Like
Thomas Capacci
Thomas Capacci April 15, 2019

@Joe Pitt 

I think I finally understood what you told me.

 

Project roles begin with a blank state, now I get it

Then inside my projects I can choose who's member of the group on the project level, now it makes sense and thats indeed pretty cool

Like Joe Pitt likes this
Reply
1 vote
Ollie Guan
Ollie Guan
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
April 14, 2019

Hi @Thomas Capacci ,

System administrators need to maintain project role first.

https://confluence.atlassian.com/adminjiracloud/managing-project-roles-776636382.html

pr.png

View More Comments
Thomas Capacci
Thomas Capacci April 14, 2019

Once the project role is defined, what should I do?

By default all Jira users have access to all projects, how can I force only Project role group members to access defined projects?

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events