How can I create a read-only user

I want to create a user called "Viewer" with a password who will only be able to read Issues, not change anything.

I have done so. Have put him in a Group called "Viewers."

In the test project, the user has these permissions:

*Browe Projects

*View Workflow

In my test project, the viewer is assigned to the "Viewers" project role.

But when I try to log in as "viewer" I am told I don't have permission.

1 answer

1 accepted

1 vote

You say "the user has these permissions"

That's a little too simple, as you don't explain exactly how they get these permissions. It is a two layered thing and you need to be clear to follow it through.

From first principles, could you go back into the system as Admin and then

  • Go to the project
  • Check the permission scheme is correctly associated with the project.
  • Open the permission scheme (directly from the project)
  • Look at the "browse" permission. List everything in there (e.g. Role:developer, Group:fred, Assignee)
  • Now go back to the user and look at their Roles and Groups

One other test too - edit the browse permission and explicitly add "user: viewer" and re-test it.

Finally, are you using "security levels" at all?

From first principles, could you go back into the system as Admin and then
Go to the project
Check the permission scheme is correctly associated with the project.

>> Default Permission Scheme is assigned

Open the permission scheme (directly from the project)
Look at the "browse" permission. List everything in there (e.g. Roleeveloper, Group:fred, Assignee)

>> Project Role(users), several groups, and the Single User (viewer)

Now go back to the user and look at their Roles and Groups

>> The user "viewer" is a member of the Group "Viewers"

One other test too - edit the browse permission and explicitly add "user: viewer" and re-test it.

>> Done, as you can see above

Finally, are you using "security levels" at all?

>> Dunno. I don't see any other settings than Issue permission

Ok, the second line makes the groups and roles irrelevant - "single user (viewer)" should make the issue visible to that user. So you're definitely logging in as that user and it's not seeing the issue?

On the security levels, go back to the project administration and look at the tab below "permissions" where you set the permission scheme. On that tab, does it say "Issue security is currently not enabled for this project." or something else? (Or does the tab not appear at all?)

So you're definitely logging in as that user and it's not seeing the issue?

No. The problem is that when I try to log in I get this message:

You do not have a permission to log in. If you think this is incorrect, please contact your JIRA administrators.

I am terribly sorry, I completely missed that before.

Your user "viewer" does not have permission to log in. You need to grant that to them.

The usual default setup is to have the group "jira users" set up as the "can log in" group. So you need to add "viewer" into that group and you'll be fine. Everything else you have done looks absolutely spot on.

There's nothing wrong with that, but unfortunately, the default is then to use jira-users in other places. By the time people realise this is a dreadful design, it's too late, and jira-users is scattered through permission schemes, giving people access to all sorts of things, and it's a pain to un-pick the mess.

I'd test this by adding viewer to jira-users, and if I'm right about that, then you'll probably want to go back over ALL the places jira-users is used, and remove them, so that jira-users group means ONLY "can log in".

I don't have a "jira users" group.

We are using Active Directory to manage real users. I added "viewer" as a JIRA-only user.

Below are the groups that contain the string "user."

Forget "Mac Users."

WHJiraUsers is the AD group that contains our users.

"user" is the name of the local group I put "viewer" into.

I notice that the"user" group has not permission scheme. Could that be it? He is in the Default Permissions.

I tried adding the WHJiraUser group to the "Viewers" role below...

And that let "viewer" in. But it also gave him edit access. So I took that off.

Hummm...

The screen shots I attached are there when I edit the comment, but not in the view mode.

Mmm, you do have a "can log in" group, but it sounds like it may have been renamed as WHJiraUser group.

As admin again, go to "administration -> Users -> Global permissions". There's a line in there that says "Jira Users (Ability to log in to Jira ....)". That will tell you the group, or groups, that can log in. Viewer needs to be in one of them.

Before you leap in though, you need to think a bit more. It sounds like a really easy fix would be to have another group in there (called something like "Read only"), and put viewer in that group, and use the group in your permission scheme. The problem is that ALL new users will be added to that group as soon as it's in there... This could well be fine for "read only" though, it's just that you need to be aware of it.

Found the problem.

Needed the JIRA User global permission:

JIRA Users

Ability to log in to JIRA. They are a 'user'. Any new users created will automatically join these groups, unless those groups have JIRA System Administrators or JIRA Administrators permissions.

Note: All users need this permission to log in to JIRA, even if they have other permissions.
That did lead to some other problems where the read-only user could do things I didn't want, but I was mostly able to block them with other methods.

Yes, that's what I said, you needed to get them into a login group.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published Monday in Jira Software

How large do you think Jira Software can grow?

Hi Atlassian Community! My name is Shana, and I’m on the Jira Software team. One of the many reasons this Community exists is to connect you to others on similar product journeys or with comparabl...

438 views 6 11
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you