This is quite a complex thing to do, for two reasons
First, Atlassian distribute Jira/OnDemand with a really bad default security model. They create three groups - admins, users and developers, and they use the jira-users group to determine "can log in" rights. That in itself is fine, but the bad thing they do is then use it for other things, like "can browse project" and so-on. This means that by the time most admins reach a "I want to limit user access" point, they've had their permission schemes utterly ruined because "can log in" has defaulted to be synonymous with "can use project". Which is very bad.
You'll need to unpick that problem - the most simple approach is to create a single new group called something like "project users", put all your current users in it, and then go through every single permission scheme, swapping jira-users for project-users, so that jira users only ever means "can log in" (and maybe some global stuff like if you've got a "jira support" project)
Once you've done that, you can create an "external users" group, (or use roles, roles are better) and use that in a permission scheme to allow "create", "browse" and maybe "comment" in your external project(s).
Secondly, a more simple one - there's a counter-intuitive thing in Jira that means it interprets "can browse" as "anyone who MIGHT be able to browse". So, when you say "reporter can browse project", it doesn't give browse rights to just the current reporter on the issue, it grants it to anyone who *might* be a reporter and hence opens the entire project. There is a "reporter only browse" permission which needs to be enabled on a system level, which allows only the reporter of the issue to browse that issue, ubt I don't know if it's available on OnDemand.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.