Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Why do all users need to be in the Jira users group therefore have access to all projects?

Rich Lovelock
Rich Lovelock April 14, 2012

If you create a user, they get assigned to the jira-users group which apparently they have to be part of to log in to the system.

Being part of the Jira users group means the user is then part of the 'users' group across ALL projects. What if you then want to stop the user accessing certain projects? It seems logical to remove them from the users group for the project but you can't - it then removes them from the global Jira-users group meaning the user can no longer log in.

This doesn't seem logical to me?

Answer
Watch
Like # people like this
8322 views

3 answers

2 votes
Dieter
Dieter
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 14, 2012
jira-users should only be added in exceptional cases to project roles. You should create your own group for each project and add that to the project role uses. or you do not use groups at all and add each user individually in the project role users.

i currently cannot verify it since i don't have OnDemand access but i guess this is because jira-users is in the default project role "users" . If yes, jira-users should be removed from this default project role else each newly created project will contain jira-users in that role and makes the project accessible for everyone that has an accoumt. Hope it's possible on OnDemand to change the default project role members.

Now in the projects that should not be open you should replace jira-users by another group that just contains the users for your projects

View More Comments
Dieter
Dieter
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 14, 2012
The default members of project role users can be edited as described here: http://confluence.atlassian.com/display/JIRA/Managing+Project+Roles#ManagingProjectRoles-Specifyingdefaultmembersforaprojectrole
Like
Rich Lovelock
Rich Lovelock April 14, 2012

Ok I think that helps, thank you. I'm just reading more about project roles now.

The documentation says:

Jira-users group contains every JIRA user in your system. By default is a member of the 'Users' project role.

So what I need to do is create project roles and groups for each project, assign users accordingly to the groups and this should OVERRIDE the jira-users group permissions that allow all users to access all groups?

(I can't remove users from JIRA-users as they can no longer sign in to JIRA at all, that's in the documentation as well).

Like
Dieter
Dieter
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 14, 2012
You don't need to create a new role. just remove jira-users from the role "users" and add your own group to role "users". Do this in all projects where you want to restrict the users. Also change the default members of role users to empty. Thus each newly project will be safe by default. if you want to make it open, add jira-users to role users else create your specific group and add this role
Like
Rich Lovelock
Rich Lovelock April 14, 2012

OK great thanks, I'm working through the help docs so will hopefully get on to permissions soon and post back if I have any queries. Thanks for your helpful input

Like
Dieter
Dieter
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 14, 2012
To understand the security better you should have a look at permission schemes as well. The right to browse issues is defined in the permission scheme. In the default scheme, the role users has this right. Of course one could redefine that to add other roles. E.g one could use a role viewers that only has the permission Browse and nothing else. So users in this role could only view issues but not edit them. There are a lot of possibilities and to master Jira successfully you should get some notion how permission schemes work
Like
Dieter
Dieter
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 14, 2012
Glad if i could help you :)
Like
Rich Lovelock
Rich Lovelock April 14, 2012

All under control and fallen in to place now. Thanks very much for your help.

Like
Joris Weimar
Joris Weimar August 25, 2015

I understand how to solve this by doing what Dieter wrote above. However, I think it's in principle bad that by default users get access to all projects. I now have to remember to remove the jira-users group from the Users role everytime I create a new project. This gives me an uneasy feeling. I'd rather have the users not see a project and complain (which is then easily fixed) than that they can see a project which they're not supposed to see.

Like
Gordon Kotik
Gordon Kotik December 17, 2015

I want to lock down access to a project, so I started by removing jira-users from the Users role for that project. As soon as I did that, I could no longer access the project at all. It was no longer listed in Projects > View All Projects. Since I'm a member of jira-administrators, and also a member of the Administrators and Developers role for the project in question, this really surprised me. Is that expected behavior? I'm using JIRA 6.4.9.

Like
Reply
0 votes
Joris Weimar
Joris Weimar August 25, 2015

Did you ever figure out how to have this happen by default without having to remove the jira-users group from the User role for each project?

View More Comments
Oleksandr Chalyi
Oleksandr Chalyi June 1, 2018

Go to Permissions schemes -> for Default Permission Scheme (that is used by each new project) open -> Permissions -> remove group "Jira-users" from Permission "Browse Projects".

Like
Reply
0 votes
Rich Lovelock
Rich Lovelock April 15, 2012

I have a problem I can't solve, not sure if you or anybody can help.

I've created a new project. It has the defaults project roles (admin, developers, users) assigned to it.

I've created a group called TGC with all 4 team members in it and I want them all to be able to administer just this project.

Under the project-role administrator, I've added the TGC group. When logging in as another team member I can see the administer project link for the project and I can access the 'General' tab. If I click any of the other tabs (e.g. Issues or Wiki) I get a log in box and a mesage saying the user doesn't have permissions.

I thought by adding the users to a group and assigning the group to the administrators project role for the project that's all that I'd need to do. What else might be preventing them access to those pages?

View More Comments
Ricardo Müller
Ricardo Müller May 14, 2019

You have to define in the projects permission scheme who's able to manage a project. If you set the project role to administrators it should work.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events