Restrict users to project, but receive notifications for other project as well?

Hi,

I know how to restrict users for seeing only one project with the permission scheme.

The problem is that all users from our Active Directory has "Browse Project permissions" for all project in order to receive e-mail notifications. When user log issue in our Service Desk with proper Notificaton scheme set, the user receive e-mail on Create and Resolve issue. This is very important for our organization since we use Jira for Incident and Request management. For that we have created separate group "All Active Directory users" and we granted that group "Browse Projects" permission.

Now I have to grant access to only one project to 2 of the same users which already belong to the "All Active Directory users" group. If I remove these 2 users from "All Active Directory users" they can only see one of the projects - mission accomplished. But they will no longer receive e-mail about their issues ( issues that they raised ) on other projects. And this is not acceptable.

Any ideas how to achive this?

5 answers

1 accepted

I solved my problem with creation of duplicated users. One user ( from AD ) for ProjectA with permission scheme A, and another user ProjectB with scheme B with the same e-mail address.

Thank you all for your help.

Hi Todor,

I am afraid that in order for users to receive notifications for issues operations, users must be granted the Browse Projects permission in for the project. This is as per stated in the documentation on JIRA Notification Scheme:
- Creating a Notification Scheme

Please see the information outlined at the bottom of the documentation:

Email notifications will only be sent to people who have permission to view the relevant issue — that is, people who:

Since this is the case, I believe that you must ensure that the relevant users are granted the Browse Project permission and is included in the issue security levels in order to ensure that they get the notifications whenever an issue is created or resolved.

Though it's not much, I hope that this helps to clarify the matter.

Ahmad.

Hi Ahmad,

My problem is that I have to restrict users to be able to see only one project and in the same time to receive notifications for other projects. I know that users have to be in "Browse projects" permission in order to receive notifications. Maybe I should use some security scheme, but how can apply that scheme to the old issues in the projects?

Simply put, that is not going to happen without code, or non-ideal configuration

If a user cannot see an issue, then they will not get email about it. End of story - and correct design I should point out - emailing people with stuff they can't see is a security loophole, so you *should* have to work hard to break the security model.

To keep it really minimal, you'd only grant your restricted users "browse" in the projects they should get mail from, which means they can't update anything.

If you really do want to break the security, then you've got two basic options

1. Find/write plugins that bypass the security and send mail to people who can't normally see the issues

2. Work around it - create dummy users for your users who should get email. Use those in the "restricted" project, making sure they do have "browse". But then give them random passwords that you never give to anyone. They'll get email, but not be able to log in. You can even disable the accounts I think, as long as the permissions still allow them "browse" in the projects that are going to send email.

As for security schemes - these hide individual issues inside projects. And the rules about "can't see issue, won't get email" still apply - if it's hidden with a security scheme, then the user won't get the email unless they're in the "can see the issue" group/role/etc.

Issue security is applied for you though. When you tell a project "use this security scheme" it will ask you what the default level is and apply it to the existing issues.

Hi Nic,

You are not right about that if a user cannot see an issue, then they will not get email about it.

Please see how we do this with our Active Directory users in my answer below.

But you gave me excelent idea - to create new users.

Sorry, but I am right. Users who can not see an issue in Jira will not be emailed about it.

You've worked around it in AD, because those users automatically have browse, but if you remove that, they won't get the emails. There's the workaround that makes Jira send emails to groups that the users happen to be in, but that's *not* mailing the user direct.

I should have been more clear though. A *jira* user will not be sent emails *by jira* if they do not have the rights to see an issue. Emails may well come via other routes, of course.

Hi Nic,

I think we are both part right. The users from AD are not auto added to any group. I add them in a group and then I grant the group "Browse permissions" manually for a project. But since they do not belong to jira-users group they are not able to log in and if they are not able to login in Jira they can not see the issue. But they receive the e-mail notifications.

Can't you try creating new permission scheme for these two projects ?

Hi Vishnu, what do you mean? Ofcourse it is possible to create two different permission schemes for the 2 project, but it is not resolving my problem. Lets say we have ProjectA with permission scheme A, and ProjectB with scheme B. User Z have to be able to work on issues on ProjectA, receive notifications from ProjectB, but without be able to view issues on ProjectB. The point of this is that the same user is part of the business side and he will participate in on of the projects. In the same time his IP telephone may become unusable and he will call the service desk and receive e-mail notification with ticket number. When the issue is resolved he will receive e-mail notification with the resolution. It is not necesary for him to be able to view the issue in Jira, but he will be informed that his issue is resolved. This was implemented for more than 2000 users and it is working fine, they do not have rights to login in Jira. We just created a dumb group with all users in our Active Directory and granted "Browse Projects' rights for the group. Users are informed that their issue ( incident, request and etc. ) is logged from the Service desk, and they have an issue number. They can call Service desk 2 days later and ask what is happening with their issue with this number. So far the only possible solution I can imagine is to create new users in Jira for the 2 business users with the same e-mail adresses. This way they will receive notifications for ProjectB, and they will have to login with the with their new Jira accounts in order to view and work on issues in ProjectA.

P.S Please excuse my English. I hope that you understand my point.

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Julia Dillon
Posted Tuesday in Jira

Tell us how your team runs on Jira!

Hey Atlassian Community! Today we are launching a bunch of customer stories about the amazing work teams, like Dropbox and Twilio, are doing with Jira. You can check out the stories here. The thi...

246 views 1 18
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you