How can I create a read-only user

George Carvill
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 19, 2012

I want to create a user called "Viewer" with a password who will only be able to read Issues, not change anything.

I have done so. Have put him in a Group called "Viewers."

In the test project, the user has these permissions:

*Browe Projects

*View Workflow

In my test project, the viewer is assigned to the "Viewers" project role.

But when I try to log in as "viewer" I am told I don't have permission.

1 answer

1 accepted

1 vote
Answer accepted
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 19, 2012

You say "the user has these permissions"

That's a little too simple, as you don't explain exactly how they get these permissions. It is a two layered thing and you need to be clear to follow it through.

From first principles, could you go back into the system as Admin and then

  • Go to the project
  • Check the permission scheme is correctly associated with the project.
  • Open the permission scheme (directly from the project)
  • Look at the "browse" permission. List everything in there (e.g. Role:developer, Group:fred, Assignee)
  • Now go back to the user and look at their Roles and Groups

One other test too - edit the browse permission and explicitly add "user: viewer" and re-test it.

Finally, are you using "security levels" at all?

George Carvill
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 19, 2012

From first principles, could you go back into the system as Admin and then
Go to the project
Check the permission scheme is correctly associated with the project.

>> Default Permission Scheme is assigned

Open the permission scheme (directly from the project)
Look at the "browse" permission. List everything in there (e.g. Roleeveloper, Group:fred, Assignee)

>> Project Role(users), several groups, and the Single User (viewer)

Now go back to the user and look at their Roles and Groups

>> The user "viewer" is a member of the Group "Viewers"

One other test too - edit the browse permission and explicitly add "user: viewer" and re-test it.

>> Done, as you can see above

Finally, are you using "security levels" at all?

>> Dunno. I don't see any other settings than Issue permission

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 19, 2012

Ok, the second line makes the groups and roles irrelevant - "single user (viewer)" should make the issue visible to that user. So you're definitely logging in as that user and it's not seeing the issue?

On the security levels, go back to the project administration and look at the tab below "permissions" where you set the permission scheme. On that tab, does it say "Issue security is currently not enabled for this project." or something else? (Or does the tab not appear at all?)

George Carvill
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 19, 2012

So you're definitely logging in as that user and it's not seeing the issue?

No. The problem is that when I try to log in I get this message:

You do not have a permission to log in. If you think this is incorrect, please contact your JIRA administrators.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 19, 2012

I am terribly sorry, I completely missed that before.

Your user "viewer" does not have permission to log in. You need to grant that to them.

The usual default setup is to have the group "jira users" set up as the "can log in" group. So you need to add "viewer" into that group and you'll be fine. Everything else you have done looks absolutely spot on.

There's nothing wrong with that, but unfortunately, the default is then to use jira-users in other places. By the time people realise this is a dreadful design, it's too late, and jira-users is scattered through permission schemes, giving people access to all sorts of things, and it's a pain to un-pick the mess.

I'd test this by adding viewer to jira-users, and if I'm right about that, then you'll probably want to go back over ALL the places jira-users is used, and remove them, so that jira-users group means ONLY "can log in".

George Carvill
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 19, 2012

I don't have a "jira users" group.

We are using Active Directory to manage real users. I added "viewer" as a JIRA-only user.

Below are the groups that contain the string "user."

Forget "Mac Users."

WHJiraUsers is the AD group that contains our users.

"user" is the name of the local group I put "viewer" into.

I notice that the"user" group has not permission scheme. Could that be it? He is in the Default Permissions.

I tried adding the WHJiraUser group to the "Viewers" role below...

And that let "viewer" in. But it also gave him edit access. So I took that off.

George Carvill
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 19, 2012

Hummm...

The screen shots I attached are there when I edit the comment, but not in the view mode.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 19, 2012

Mmm, you do have a "can log in" group, but it sounds like it may have been renamed as WHJiraUser group.

As admin again, go to "administration -> Users -> Global permissions". There's a line in there that says "Jira Users (Ability to log in to Jira ....)". That will tell you the group, or groups, that can log in. Viewer needs to be in one of them.

Before you leap in though, you need to think a bit more. It sounds like a really easy fix would be to have another group in there (called something like "Read only"), and put viewer in that group, and use the group in your permission scheme. The problem is that ALL new users will be added to that group as soon as it's in there... This could well be fine for "read only" though, it's just that you need to be aware of it.

George Carvill
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 19, 2012

Found the problem.

Needed the JIRA User global permission:

JIRA Users

Ability to log in to JIRA. They are a 'user'. Any new users created will automatically join these groups, unless those groups have JIRA System Administrators or JIRA Administrators permissions.

Note: All users need this permission to log in to JIRA, even if they have other permissions.
That did lead to some other problems where the read-only user could do things I didn't want, but I was mostly able to block them with other methods.
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 19, 2012

Yes, that's what I said, you needed to get them into a login group.

Suggest an answer

Log in or Sign up to answer