Read Only JIRA Group

Also, do I have to do anything with workflow conditions as well? Or, can they be ignored.

If I create a read only user and only add them to the "Browse project" group, they are not able to log in. Do they still have to be in the jira-users group as well?

Sort of.

The group "read only" is doing what you expect. But it does not grant the right to log into Jira - that is handled by putting people into "Jira users". But, you don't *have* to use "jira users", you can add one or many groups to the "can log in" permission.

I suspect the most simple approach for you is to put "read only group" into "can log in" alongside "jira users" (Admin -> Global permissions). The downside with that is that ALL new users are automatically added to ALL groups in the "can log in" section, which might not be what you want

You can ignore workflow conditions in the later versions of Jira. In 6.2 and below, I used to have to tell everyone "if you do not put conditions on your workflow, then ANYONE can use the transitions", but Atlassian have finally added a new permission of "can use transitions" which now protects transitions from anonymous usage.

If your jira is not open for anonimous user - you should add this user to the group that has use jira permission (i.e. jira-users). If you don't want to - you can add the needed group to use jira global permissions (see https://confluence.atlassian.com/display/JIRA/Managing+Global+Permissionsjira users section)

Thanks for the explanation. I think the easiest route would be to add "can log in" permission to my read only group. This would be much more safe than adding them to the jira-users group. (They woudl receive additional permissions I don't want them to have.)

How do I go about adding the "can log in" permission to my read only group? I see the 'Add Permission' section on the "Global Permissions" page, but I don't see a "can log in" option in the Permission dropdown to give it to my group.

Sorry, I tend to call it "can log in" because it's more helpful than "can use" or "jira user"

Click on the first drop-down and find "Jira Users", and select your "read only" group in the second list, and belt "add"

No problem, thanks for your help!

I now have my jira-read-only-users setup with global permissions for 'JIRA Users' and 'Browse Users'. However, when I log in, I am not able to see any projects. (I am not even able to see the Projects menu at the top of teh screen. Am I missing another global permission that is needed?

You need to include the group in the permission scheme(s) for the projects too, on the "browse" line. (Or via a role)

I added my group to the projects "browse" permission scheme and I can now log in and and see everything in a read-only mode just as I wanted, thanks!

The only odd thing I found was that I am still able to change the workflow status of an issue. Is this expected?

Just make sure that the user is only part of jira-read-only-users group. If you are able to change the workflow then this permission must be coming from some additional group which is assigned to user.

I have only made the following changes to my jira-read-only-users group:

* Added jira-read-only-users to the Global Permission 'JIRA Users' and 'Browse Users.

* Applied a premissions group to a given project that give jira-read-only-users access to 'BOrwse Proejcts'.

* Created a user and only assigned them to he jira-read-only-user group.

However, I am still able to change the workflow status of an issue to my user added to the jira-users-read-only group. Any other ideas?

Thanks,
Chris

They must be getting permission somewhere. Have you verified you did give 'anyone' or the jira-users group permission?

No, I did not verify a wrong permission for 'anyone' or the 'jira-users' group. Where would all the places be that I should look to verify this information?

Thanks,
Chris

Ok, it's just the move of issues through the workflow that you can do with your read-only user?

That's a common oversight by new Jira admins (and it's improved in the latest couple of versions of Jira). You haven't put any "conditions" on the workflow transitions. Jira doesn't do it by default, so admins have to remember to add them as they build a workflow. Even the most simple one of "user must be in the role of user" is not there by default.

Nic,

A read-only-user can only move an issue through workflow and nothing else. (Yes, I am a new JIRA admin. :-))

I am currently running version 6.1.5. If I upgrade to 6.2, are adding the workflow conditions in still needed?

Thanks,
Chris

I don't think the fix for the default arrives until 6.3, possibly 6.4!

It works by adding an extra permission to the schemes of "can transition issues", so to use it, all you do is NOT grant it to your read-only group!

After I added in the workflow conditions, I now have everything working perfetly! Thanks for all your help.