Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

How to give a user (read-only) access to a single project and nothing more

This article is meant to answer a question that some new Jira admins often have, especially after using Jira for only a few weeks or months. In here you will learn how to provide some users access to only one (or a few) project(s). This is especially useful if your Jira site needs to be accessed by some of your clients and they only need to see the projects that involve them.

Note that this procedure requires you to be a site-admin and a Jira administrator.
Also note that this article is only applicable for classic projects, as next-gen projects have their own, separate permission mechanism.

Summary(tl;dr): Create a project role named 'clients', a users group named 'internal-users'. Assign all the internal users membership to the group 'internal-users' and for each client assign them the project role 'clients' in their respective project. Remove any logged-in user from all the permission schemes and replace it with the group 'internal-users' and the project role 'clients' for the Browse projects permission.

Long version (complete instructions):

Part 1: Create a project role named 'clients': 
Navigate to Jira Settings System → Project Roles and at the bottom of the page, add a new project role. Name: Clients. Description: Jira users that need to only see their belonging projects.

Part 2: Create a users group that will contain all the internal users (all users except for your clients):
Navigate to the site administration area by clicking the 9-dots at the bottom left corner (Switch to→ Site administration → Groups → Create group (top-right corner). Give the group a name like 'internal-users'. This group will contain all Jira users that are part of your organization and need access to all the project (all your colleagues and not your clients).

Part 3: Add all other users except for clients (your colleagues) to this new group.
In the Site administration → Groups page, click on the newly-created group and then click Add members (top-right). Select all the users that are not your clients and then click Add.

Part 4: Add the newly created group and project role to all permission schemes:
Navigate to Jira Settings → Issues → Permission Schemes(down at the bottom). Locate the Default permission scheme and on its right-hand side click Permissions
For every permission that is granted to Application access: Any logged-in user, click on Edit, select Group and then select the name of the group that you created ('internal-users') and contains all the internal users. 
For the Browse Projects permission, also add Project role → Clients.
Locate all the permissions that are granted to  Application access: Any logged-in user, and on their right-hand side click Remove, select Application Access: Any logged-in user and click Remove.

This step needs to be repeated for all the permission schemes. Most likely there is one permission scheme named Default Software Scheme and the same steps need to be performed there. Ignore all the permission schemes generated by Jira Service Desk. These permission schemes will have Service Desk in their name so they are easily recognizable.

Part 5: Adding a client to a project
Navigate to a project where a client needs access, then go to Project Settings → People → Add people (top-right). Select the users (clients) that need read-only access to this project, then select the project role Clients and then click Add.

Repeat this last step for all the projects, adding the associated client to their own project.

17 comments

Richard McMillan
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
May 6, 2019

My clicky finger is hanging from a tendon.

Like # people like this
Manuel Jaeger
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
June 13, 2019

Thank you for this article.. helped me a lot!

Robertas Bastys
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
September 12, 2019

Excellent post

Martin Kennedy
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
September 16, 2019

Finally, the source I was desperately looking for. Thank you kindly for this article.

Michael Royle October 24, 2019

Thank you - been struggling with this a while. A really easy process to follow :)

Deborah Dean
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
January 24, 2020

Great article. One question, what do I change in the above steps if I want to give the clients access to create tasks in the one specific project I give them access to? Thanks

Like Andrew Dunne likes this
Jens Strobel
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
March 13, 2020

Same question: I want to give the clients access to create tasks in the one specific project I give them access to?

Like # people like this
Limor Hader August 6, 2020

The ONLY post that helped me understand this annoyingly complex topic. THANK YOU!

Like Chris Choy likes this
Chris Choy
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
August 12, 2020

As a new Atlassian administrator, I cannot thank you enough for posting this!!!

This is the only post that clearly goes over each step on how to properly set permissions restriction in Jira. This has been a real nightmare before reading this as all the other community posts were either out of date by several years or just convoluted at making a bunch of assumptions. 

Thank you! 

Andrew Dunne November 25, 2020

I have a similar question to @Deborah Dean and @Jens Strobel

 

How do I provide access to an external partner to create tasks etc in the one project I give them access to?

Deleted user November 27, 2020

Hello, great post! Clearly explained!

I have been able to set permissions to view a specific project. 

However, I do not want the external user to see these options. How do I remove them from their view?

Screenshot from 2020-11-28 05.42.25.png

Screenshot from 2020-11-28 05.41.29.png

Thanks in advance

Babu

Sama Bahjat August 27, 2021

Good morning @Claudiu Lionte 

I am site admin and we are using jira cloud. I have created a couple of projects with the Company managed template. I have been able to achieve the following for our projects:

Step 1: I have created 2 new groups (Srcum Team, and Read Only/Client).

Step 2: I created a new scheme from the default software scheme. In this new scheme I replaced all of the instances of (Application access: Any logged-in user) with (Group: Scrum Team). Then I added (Group: Read Only) to the Browse Projects permission section only in the same scheme.

Step 3: I added all of our users who will be working on this project to the Scrum Team Group and I added the customer to the Read only/Client group 

Step 4: I applied the new scheme to our projects.

Important Note: after doing steps 1-4 above, I am part of the Scrum Team but was not able to view the project at all. Then I realized that there is one small step that is not mentioned in any of the articles that had come across (At least it was not clear to me as a beginner). That step was to add the product to any newly created groups so that those new groups that you create have user permissions on the Jira Software product. After I realized that I did step 5

Step 5: Go to Site administration → Groups and locate the newly created groups, click on one the newly created groups, then under the Group product access section click on add product. Select Jira Software and make sure this new group has a user permission role on the product. Repeat this process for any other newly created groups.


Now, steps 1-5 above gave me what I need using groups in my permission scheme to create a simple access control path on my projects.

The outstanding question I still have is: How do you perform the same thing but using project roles instead of Groups?

I have created the project roles and added them to my Scheme. The one step that I have not figured out yet is how to do steps 5 above for project roles. 

Please let me know what I am missing here. Once I hear from you I can share the big vision that I have for creating a good access control path for our different teams and their projects.

Thank you,

Sama

Claudiu Lionte
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 27, 2021

To add clients the possibility of creating issues in that project, at Part 4, right after

"For the Browse Projects permission, also add Project role → Clients", you'll have to add Project role → Clients for the Create issues permission.

 

@Sama Bahjat If I understand correctly, your questions is around adding application access to those clients. Unfortunately, project roles cannot be used to grant application access to Jira. Application access can only be granted to a group so you'll have to put all the clients in one or more groups and give those groups access to Jira

Sama Bahjat August 27, 2021

@Claudiu Lionte 

if that is the case then I don't see how a project role can be successfully added to the scheme (as you have suggested to be a better practice than using groups). Am I missing something? I know I am, I just don't know what it is :)

Marco Mangiante December 17, 2021

Great; one question: is it possible to use this for unlicensed users? I need to give access to people that are not involved as developer in the project but I don't want to give them a license.

Steve Zielinski December 19, 2022

If you are wondering "Why does this work?" The explanation is this:

 

"Project roles are somewhat similar to groups, the main difference being that group membership is global whereas project role membership is project-specific."

(from https://support.atlassian.com/jira-cloud-administration/docs/manage-project-roles/?permissionViolation=true)

 

Notice what @Claudiu Lionte did NOT do. He did not put the clients in a group. He used project role membership.

If you put the clients in a group and then add the group to Browse Projects the clients will be able to see all the projects in the Projects drop down - you will not achieve allowing clients visibility of a single project.

By creating the new project role and adding the client to the project, in that role, Claudiu was using the fact that "project role membership is project-specific".

(And of course, you must remove the Any logged-in user because that would override the more specific permissions you are trying to implement.)

 

@Claudiu Lionteif you ever update this article, I suggest you name the new Project Role as: project_role_Client. This might help easy the natural confusion those of us who are new or infrequent admins have around groups and roles.

Bas de Geest January 2, 2023

@Claudiu Lionte Awesome, exactly what I was looking for!

TAGS
AUG Leaders

Atlassian Community Events