I'm trying to lock down certain parts of JIRA using permission schemes, and I'm unclear which project permissions allow you to interact with a project that you cannot browse.
With some testing, I've found that the "Create Issue" permission will allow a user to create an issue in a project (and, by extension, view the list of components and versions in that project) even if the user does not have permission to browse the project.
I can see a comprehensive list of project permissions in Managing Project Permissions, but I can't find an authority on which permissions are still (wholly or partially) effective without being able to "Browse Projects".
I've also found that I can create a link to a ticket which I'm not allowed to browse. (If I can browse ABC-123, and I can't browse DEF-999, I can still create a link from ABC-123 to DEF-999 if the "Link Issues" permission has been granted to "Anyone" in DEF.)
Anything related to an issue (like Edit, comment, move etc) are dependent on "Browse" issues because a user can do those only if they can see the issue.
Anything related to the project (Administer, Create only these two if I remember correctly) are not dependent on "Browse".
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.