It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Restricting issue creation of certain types based on user project role / group

I was wondering if there is a way to restrict creation of an issue type based on which role or group the creator is in.

For example, I want only Developers to be able to create a new feature or enhancement.

15 answers

1 accepted

3 votes
Answer accepted

Hi, this isn't possible for OnDemand. Only the downloadable version can do this.

There was an issue for this: https://jira.atlassian.com/browse/JRA-5865 but has been resolved as won't fix.

Discussion: https://answers.atlassian.com/questions/33259/permission-to-create-specific-issue-type?page=1#33270

Yes, this can be done out of the box, Peter. First, create a group containing only the developers you want to have access to creating this type of issue. Next, on your workflow for that particular issue type, go to the origination step for the worklow - for example, 'Create Issue'. Add a validation step of type permission and select the group you created in the first step above. of course, you should test it to assure it's working correctly prior to publishing the change (if you don't want to cause potential problems with your users). Anyone not in this group has no access to creating that issue type. They simply would not see it in the dropdown.

I don't see an option to add validators based on groups. Can you post a screenshot? (probably not since this post is 3 years old!)

Like mahavishnu likes this

The permissions validator no longer contains an option to specify a user group; you may only specify a permission (e.g., Create Issue) which is useless since this would deny the person from creating any issue type.

That's what I thought. It looks like using Script Runner is the only option. Otherwise you need to create a separate project

Actually, there is another kludge I forgot about that I do one on our projects. I forgot to note this in my latest reply. I knew we had a working example of this somewhere.

Say you only want administrators to be able to create a certain issue type - in my case, I use a custom API to import a ticket from my support system into JIRA. You likely have one or more permissions in your project that are restricted to admins only (e.g., "Delete All Comments" in my case since this is something I only want a few people doing. For this permission, it should contain a group or persons able to do this. In my case, it contains the group, "administrators" with handful of people since we won't want to lose the trail of comments added for this project).

Now, from your workflow for that issue type, go to the Create step and add a validator of type "User Permission Validator" and choose the "Delete All Comments" permission.

Although everyone can still see that issue type, and even populate the Create form, when trying to submit the form, an error about not having this permission results.

We control it using the 'Move Issue' permission in manner mentioned here...so only users in group with 'Move Issue' permission can then create issues in that workflow which has the effect of restricting the issue types that the user can select when creating issues. e.g. we allow 'normal' users to raise stories and issues but not designate something as 'bug' etc. This has to be done after review.

Like Heather R likes this

I can't seem to get this working. Any suggestions?


What I did on the 'create' transition in the workflow specific for issue type Idea:

* Delete the standard validator 'only users with -create issue- permission van execute this transition'.
* Add the validator 'only users with -set issue security- permission van execute this transition'.
* In the permission scheme of the project I added only one specific user to the permission 'set issue security'.


Nonetheless, anyone with access to the project can create an issue of the issuetype Idea.

I can see that this is an old question, but I had the same today. I put my solution here for anyone's benefit.

There is a suitable validation option called "Users in a field are/aren't in a project role".

So the steps to set it up:

 - Optional: create a JIRA (security) group (say "Special Users Group").

 - Create a role (say "Special Users Role") (see How to add project roles)

 - Update your workflow

   – Select the Create Task transition, and add a validation step

   – Use the "Users in a field are/aren't in a project role" validator

   – The "Special Users Role" should show up under the "Selected project roles" section

   – Fill in validator properties as needed

 - Assign your users to the "Special Users Role", optionally via the "Special Users Group".

 

Hi Balint,

I do not have the "Users in a field are/aren't in a project role" validator option, although I do have defined roles associated with the project. Any advice as to why this would be happening? I am using the cloud-based version.

Thanks.

In my case it was the on-premise version, maybe that1s the difference.

@Alec Mishra 

 

Hi Mishra,

 

i'm also facing same issue do you have anyupdate on that.

@Chityala Pavan  Did you find any workaround for this?

Technically, there is a "hack"ish work-around. You can add the group/s to a permission scheme setting (e.g., Set Issue Security, or something you're not currently using), and then add a Validation to the Create transition of the workflow for that permission (which is available in OnDemand).

This is excellent thinking. Hacky for sure but very excellent.

I can't seem to get this working. Any suggestions?

What I did on the 'create' transition in the workflow specific for issue type Idea:

  • Delete the standard validator 'only users with -create issue- permission van execute this transition'.
  • Add the validator 'only users with -set issue security- permission van execute this transition'.
  • In the permission scheme of the project I added only one specific user to the permission 'set issue security'.

Nonetheless, anyone with access to the project can create an issue of the issuetype Idea.

@Tom De Cock Try running the Permissions Helper - https://confluence.atlassian.com/adminjiracloud/using-the-permission-helper-868982879.html - to see if that lists anything that helps understand what permissions the user has access to that they should not. Almost certainly, there's another permission or role that the users have access to granting them greater access than they should have. It's just too wide open of a scenario for me to help with without having access to your setup.

Also, you may have just been using a single user as a quick test for this solution, but I always recommend that Permissions be tied only to Roles, and Roles tied only to Groups. This makes it easier to manage permissions by making sure a User is in the correct groups. It also makes the traceability easier to follow to understand a user's permissions.

Hopefully, some of that helps!

Hello,

Could anybody point me to the solution for the downloaded version of JIRA?

Cheers & best :)

Plugin / JavaScript

I recently created a plugin that might help you. I'm open for suggestions to make it better. Cheers.

Another option is to use the free Script Runner add-on. That adds the option to add a simple script as a validator on the Create transition. With this you could add the following validation to a transition is an issue-specific workflow:

import com.atlassian.jira.component.ComponentAccessor

def groupManager = ComponentAccessor.getGroupManager()
groupManager.isUserInGroup(issue.reporter?.name, 'some group')

Wilton's solution is more elegant, since (if I'm not mistaking) does not even offer the user to create an issue of a certain type. This solution will show an error when the user tries to submit an issue of the type he is not authorized for.

Hi

I am new to script runner and if I wish to put multiple groups in the below line , what should be the syntax ?

groupManager.isUserInGroup(issue.reporter?.name, 'some group')

 

Thanks ! 

hi,

Thanks for the code. What if I need to add a condition for issue type? Two of my issues use the same workflow action. So how do I modify your script to trigger only if the issue type is lets say "User story"

Hi Wilton,

Would you plugin work on JIRA 5.2.X version ? I've been looking for this kind of features for years !!

Thanks for your reply

Would you plugin work on JIRA 5.4.X version ?

Hi there,

unfortunately not. You should seriously update your JIRA.

With Workflow Enhancer for Jira you can create a Universal Validator that checks [groups] user is in, evaluating to true or showing a custom error message to user.

Hey, this sounds great.  Can you point me to an example of how to formulate this validator  ?   I want to check that the user belongs to the group INT_ECO if he wants to create an issue of a certain type.

Might not be exactly what you're looking for, but we've just achieved this by creating a workflow for each of the task types. We can then apply different validators to to each workflow to ensure only certain groups can create certain task types.

 

This means our API can create Tasks, but users cannot. However, uses can create Sub-tasks on the tasks created by the API.

 

It's a right faff but it works and we refuse to pay for extra plugins for things that should really be built-in from the start,

Know this is an old thread - but I had the same dilemma and solved it by adding a 'Universal Validator' on the Create transition....

2018-12-17_14h09_15.png

Hi,

I solved this issue using Scriptrunner's behaviour, used below code in initializer and it showed Issuetypes based on logged in user, you can validate user against project roles or even groups

 

import com.atlassian.jira.component.ComponentAccessor
import com.atlassian.jira.security.roles.ProjectRoleManager

import static com.atlassian.jira.issue.IssueFieldConstants.ISSUE_TYPE

def projectRoleManager = ComponentAccessor.getComponent(ProjectRoleManager)
def allIssueTypes = ComponentAccessor.constantsManager.allIssueTypeObjects

def user = ComponentAccessor.jiraAuthenticationContext.loggedInUser
def issueTypeField = getFieldById(ISSUE_TYPE)
def availableIssueTypes = []

//use this def and if code to check project roles
/*def remoteUsersRoles = projectRoleManager.getProjectRoles(user, issueContext.projectObject)*.name

if ("Testers" in remoteUsersRoles)
{
availableIssueTypes.addAll(allIssueTypes.findAll { it.name in ["Task", "Experiment"] })
}
*/

//use this def and if code to check groups
def remoteUsersRoles = ComponentAccessor.getGroupManager().isUserInGroup(user, "jira-administrators")
if (remoteUsersRoles) {
availableIssueTypes.addAll(allIssueTypes.findAll { it.name in ["Task", "Experiment"] })
}

else {
availableIssueTypes.addAll(allIssueTypes.findAll { it.name in ["Task"] })
}

issueTypeField.setFieldOptions(availableIssueTypes)

 

Hope this helps.

 

Regards,

Priyanka

Hi Priyanka, good work.

Could you help with the code if Current user belongs to both Users and Developers roles, therefore both the above sets of issue types should be available

This link gives the code but the behavior is not as expected in the screen shots added below "Restricting Available Issue Types"

https://scriptrunner.adaptavist.com/5.5.0.3-jira8/jira/recipes/behaviours/restricting-issue-types.html

 

set_issue_types_for_both_roles

Hi Arun,

Thanks, Happy to help :) , though not sure what you want to achieve. Do you want to validate that if the user is part of both Users and Developers group then he should see Bug and Task issue type else he should see remaining ones?

Let me  know, I will try to code accordingly.

 

Regards,

Priyanka

Sure, I have 3 Issue types ( Defect, Enhancement and Documentation) Defect has to been seen by developers only group but few users also are users and developers so they should all 3 (similar in the picture) and the code is restricting the dual group user to not see all but just 2

Thanks,

Arun

I may be missing something obvious here...

The best way to block any transition in a workflow is to add a condition.

However, in Jira 8.x (and probably earlier), the Create transition does not support Conditions.

So the other option is to create a validator that will fail. This is fine and dandy, but it means that the user will get the issue creation screen, will fill all the mandatory fields (and others) and then, when she clicks on the Create button, the operation will be rejected.

That a really bad UX.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Jira

The add-in you’ve been waiting for: Jira Cloud for Excel 🙌

Introducing Jira Cloud for Excel Here at the product integrations team at Atlassian, we are thrilled to announce the new Jira Cloud for Excel add-in! This add-in lets you export Jira data directly ...

841 views 5 22
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you