A complete guide to Jira Service Desk permissions pt.2

This is the second part of the article about Jira Service Desk permissions. Read the first part to learn about project roles, user groups, global and project permissions.

Issue security schemes

Another key point is to define authorization levels for viewing issues. To specify, issues are assigned specific security level which includes a group of users permitted to use them. This way, only those with the right authorizations will be able to access the specific ticket. The variables here enable us to set the access not only for options varying from application access to user and group custom field value to project role and single user. By creating these schemes, we restrict Browse Project permissions in a way. As Browse Project permits users to see all the issues within a service desk, we can limit their visibility by assigning appropriate security levels to them.

1. In Issues, go to Issue security schemes.
2. Click Add issue security scheme and name it. 
3. Choose Security levels from the Actions column.
4. To add security level, type its name and description (optional).
5. Go to Add in Actions column and select the variable you want to add to the security level.

Remember that each level may include numerous users, groups or project roles, depending on who needs the specific authorization.

Customer permissions and Organizations

Basically, we can define who may become a customer of our Portal, as well as with whom they can share a request. We can set this up in Project Settings under Customer Permissions. 

Also, we can add users to Organizations. Those users invited to Organization and not created in Jira Service Desk won't be added to the jira-service-desk-customer project role. Also, Organizations enable customers to share their requests with other members of their organization. For example, those who are part of the corpoplanet organization will be able to share their requests from a service desk project dedicated to their company with another employee included in it, however, only a specific number of its users will be assigned to a specific project role.

To create Organizations, we need to:

1. Choose Customers from the side panel of the service desk project. 
2. Click Add organizations and create one. 
3. Go to the organization by clicking on it and click Add customers.
4. Enter the username or email addresses of users to add them to the organization.

Whenever a new customer joins the service desk, they get restricted access to the Customer Portal. As a part of an organization, these customers aren't added to the Service Desk Customers project role, but they can still raise requests in all projects their organization is assigned to.

Advanced safety measures

To keep ourselves safe from online security threats and boost the usability of Jira Service Desk, we should also make sure that we have some more advanced permissions in place. Just to be sure, we should go more in-depth into the Service Desk accessibility and define the visibility of its other parts to various user groups. In particular to such elements as:

• Customer Portal - seeing as not all our users need to see some Customer Portals, we can limit their visibilities to only those who should have access to them. For example, if we have customer portals for both external and internal users available in the service desk, we should ensure that only our employees will have access to the internal one. This will also work even when an external customer knows the link to the internal portal because they will be blocked from entering it;
• request types - the same goes for the request types. For instance, the higher-ups in the company should be able to ask for a business car or more valuable hardware. This way, i.e. the interns won't even see this request type when browsing the service desk;
• fields - similarly to request types, some fields should be available only for those user groups that have the appropriate authorization to access them, i.e. only those who belong to corpoplanet-directors user group may share the requests with other users and view the request participants;
• options -  if we have a field in which the requester needs to define, i.e. the budget for a hotel room, we can make the most expensive option to choose available only for the directors;
• SLAs - some user groups may require to view the progress in the realization on the request, so displaying SLA measurement to those specific groups may be a good idea. Also, it will ensure that users from other groups won't be able to see this metric even if they're participating in the request.

We can limit the visibility of the most important parts of the service desk to the specific user groups, extending the security of the portal

This specific set of advanced permissions is available in Extension for Jira Service Desk app. After installing it, we have to:

1. Go to the service desk's Project settings.
2. Choose Visibility in the Extension section. 
3. Add the visibility configuration to each tab.

If we want to use Visibility feature of the app, we should create additional user groups. Creating two or three user groups per Organization is the most effective way of managing customers because then we'll be able to grant them appropriate permissions, i.e corpoplanet-directors will be able to do more within the service desk than corpoplanet-managers just because they are more inclined to make some decisions. And to make this even easier on us, we can synchronize Organizations with user groups with a feature provided by Extension. 

For example, we have a service desk project called Expeditions available for a few user groups, including corpoplanet-directors and corpoplanet-astronauts. Users from corpoplanet-directors will see only request types, such as Introduce an expedition, Register astronauts, Cancel expedition, etc., while those from corpoplanet-astronauts will have access to a different set of request types, i.e. Enter for clearance, Sign up for qualification exams, etc. Both groups also will have some shared request types like Order gear and Order equipment. This way, we ensure that a specific user group can choose from the most relevant requests for them. 

Safe and sound Customer Portal

Sometimes, simple safety measures as set permissions and limited visibility of some elements for specific user groups is a good start in cybersecurity. But, making sure that our Customer Portal and thus our customer's data is safe and secure is a long-term goal. That's why we shouldn't limit ourselves to the basic service desk protection supported by good anti-malware software. Even adding such things as self-service or automation to our service desk may help secure it. Also, building a process that includes risk and incident management is a necessary precaution against online security threats. 

If you’d like to learn more about improving Jira Service Desk, read other articles on the subject available on the Community: 

• Synchronise Jira User Groups with Jira Service Desk Organizations
• Improve your customer’s journey through Jira Service Desk Server, pt. 1: Help Center
• 4 easy steps to design your own Jira Service Desk Customer Portal