We have created a new permission scheme and are in the process of migrating all of our projects to it. We have project roles set up to make it easier to manage permissions on each project. Part of this scheme is application access (any logged in user) being able to browse our projects. This is something our senior management level requested. Until now, this hasn't caused us any issues.
However, we have a request for some external contractors to have access and work in a particular project. I am trying to figure out how we can set up permissions so the contractors only can see/work in this 1 project.
Whenever we add a new employee to our active directory, they automatically get added to the default access group called 'confluence-users' and when we add this person to Jira, they automatically get added to the default access group "jira-software-users". It is my understanding that being in those 2 default groups is what the application access (any logged in user) is pulling from.
Looking for some ideas on what we can do other than removing the application access from our permission scheme. Thank you!
Any logged in user is just that - any user that is currently logged in. It is not associated w/ the default roles. So wherever this is used within a project permission scheme any user that is logged in will have those permissions. The default roles are defined here - admin > user management > site settings > product access
Hi @Sonya Petkunas,
@Jack is correct it is because of your exact use case that have how now taken a firm stance to separate application access from project permissions.
I generally use a generic group such as jira-users or jira-software-users that are assigned to application access and aren't used anywhere else.
Then I have additional groups setup in project roles for permissions.
I don't think you are going to be able to solve this one without removing the "application access" from the permissions schemes.
I get what you are saying.. and jira-software-users (default access group) is listed under this product access..
Would you think my course of action would be to add these external users in Jira to a different group that is not under product access and them not be in the jira-software-users default group? Seems like that would give me what I want w/o removing the application access from my permission scheme. I guess my only question is when we add a user, do that have to be in the jira-software-users default group?
@Jack @Jimmy Seddon Something else I've been thinking about is when I go in to my permission scheme, I can edit 'browse projects' and grant to different options. Right now I have it set to 'application access-any logged in user'.. but there are other options, such as application access-Jira Software (not sure what this is). There are is also a group and if I can choose a group that only our internal users are part of and not the external.. thinking that might work. Thoughts?
@Sonya Petkunas - application access-Jira Software refers to all users that have been provided a license to use Jira Software. As I mentioned above, I would avoid using application access in permissions schemes just in case you will need to grant users the ability to use Jira Software projects but you don't want them have access to all projects.
I do agree with your statement of editing the "Browse Projects" permission. Though, I would recommend setting it to a project role (e.g. Administrators, Developers, Users) and then you can set the groups within each project that should have access to browse that project. I totally understand if you have hundreds of projects and setting the group access on each of them individually is out of the question. In that case, you are right that it would make sense to set this to a group that all internal employees are a part of, and also a project role (i.e. Users) then for the one (or more) projects that the external users need to access. Add them to a group that you can assign to the project role only in the projects they should be allowed to access.
I hope that helps!
I think we figured out what we can do for this situation. Since jira-software-users is a default group that all of our users get put in to... we created a ext-jira-software-user group and when we add a new user to Jira, we removed them from the jira-software-users group and added them to the ext-jira-software-user group. Then we went into the permission scheme and changed the browse projects from application access = any logged in user to group = jira-software-user. This keeps the external user group from having browser access. I added the ext-jira-software-user group to the specific project I wanted them to have access to. This does not solve the issue with Next-Gen projects. Two choices there.. make NG projects private or move those projects to Classic with our permission scheme.
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events