Permission conflict. Probably a bug.

Why do non-related to the project users can see this project on the browse projects page? There is no logical sense in it.

I tried to work it out with the Reporter Rule(show only projects with create permission).
https://confluence.atlassian.com/display/JIRA/Current+Reporter+Browse+Project+Permission

But the Current Assignee Rule and the Reporter Rule(show only projects with create permission) are conflicting.

How can this problem be solved?

I need a few assignee people could see only tasks created for them and in the same time could see only projects, in which they are involved,on the browse projects page.

That is quite sensible.

Thank you in advance.

5 answers

1 accepted

I solved this problem.

In DefaultIssueSecurityScheme / Edit Issue Security Levels

  1. Add "Default" Level with rule Reporter (show only projects with create permission) (Anyone) and Current Assignee.
  2. Apply as Default for the project DefaultIssueSecurityScheme and associate all issues

Thanks all

ps: all very confusing and not logical

Hi Eugeniy

still tryin to understand the goal your aiming at.

ok. How can I make some users only see tasks that were created by them without Current Assignee rule?

help me

this is simple.

use issue level security to get this. add reporter and a role of project users that should see this as well. i.e. develpers.

i built something similar on a Support Project.

Permission Scheme says "Browse Project" = jira-users

Issue Level Security

  • Reporter & Support (default) & not editable by reporter (Permission Scheme: deny set issue security for non admin users )
  1. add Reporter
  2. add Role (i.e. Supporter)
  3. add Current Assignee

for more info read https://confluence.atlassian.com/display/JIRA/Configuring+Issue-level+Security

hope this helps proceeding

this is not a bug. you may misunderstood the complex configuration options

cheers

once you apply your new issue level scheme to your project these settings will take effect.

only the reporter, the current assignee or in that case users that are in Supporters role can view the issue.

still every active jira user (group jira-user) can browse the project. but as the issues now hold a security level "this your solution is" (like yoda would say)

heh.

example:

  1. create user "test"
  2. add user "test" to group "jira-users" (only for auth)
  3. create project "Project_1" with empty roles (no groups or users)
  4. create project "Project_2" with empty roles (no groups or users)
  5. create role "Supporter" for projects
  6. add user "test" to role "Supporter" for project "Project_1" (only)
    PS: project "Project_2" is still empty roles
  7. See DefaultPermissionScheme. Add permission "Current Assignee" to rule "Browse Projects"
  8. Login as user "test". See Browse Broject on /secure/BrowseProjects.jspa#all
    What is there? Project_1 (true) and Project_2 (false, why?)

ps: issue can not be created for assignee"test" to project "project_2" (true).
why user "test" sees "Project_2" in the list of projects (Browse Projects)?

example 2:

  1. ...
  2. ...
  3. ...
  4. ...
  5. ...
  6. ...
  7. Add permission "Current Assignee" to rule "Browse Projects".
    Add permission "Reporter (show only projects with create permission) " to rule "Browser Projects".
    PS: Rule "Create Issues" has no role "Supporter". User "test" can't create issue
  8. Login as user "test". See Browse Broject on /secure/BrowseProjects.jspa#all
    What is there? Project_1 (true) and Project_2 (false, why?)

try this:

add new group "testgroup1" and make user test a member.

open permission scheme.

remove "current assignee" from "Browse Project" and add "Role: User" (not Group) instead.

"Create Issues" should have "group: jira-users" or "role : users"

now go to your project administration for Project_1 and open Roles:

add group "testgroup1" to the Users role.

make sure project_2 roles administration doesn't have "testgroup1" listed

try again and let me know

hmmm i think it is pretty much logical (no offense)

sorry for all the misunderstanding right here...but sometimes asking a good question is much harder than finding a relevant answer isn't it?

glad we could help anyway. enjoy your jira

0 vote

What do you mean by "conflicting"? And what does your "browse" permission say for the projects?

If you have set up your project so that "Browse" is

  • Reporter (show only projects with create permission)
  • Assignee
Then I'd expect everyone to be able to see the project, but only the issues that they have reported, or are currently assigned to. Is that what you are getting? It is correct - users must be able to see the project if they can use it in any way, even if they have not yet reported or been assigned anything in it.

Reporter (show only projects with create permission) doesn't work with Current Assignee. The user is not related to any project role. And is not related to a group that could be referred to a project role.

He is not related to the project, but in the same time he can see it in Browse projects.

Why is it so?

The Current Assignee Rule should give a possibility to see someone's tasks in the project, if this user is added to some project role.

but in practice the user can see all the projects in Browse projects because of the Current Assignee Rule.

Is this logically right? The user hasn't any role in the project, but he can see it in Browse projects.

> Reporter (show only projects with create permission) doesn't work with Current Assignee

I'm afraid I don't understand what you mean. Those are two separate options for the rule "does this person have this permission". They don't have anything to do with each other, apart from being on the same list of options when you say "grant permission X to <option>". They don't work together, they're simply options on a list.

Skipping over that though, you then say "he is not related to the project, but can see it in browse projects"

That is absolutely correct for the "reporter" permission. The reasoning is simple - if the user can CREATE issues in the project, then they need to be able to see the project. Not all the issues in it - they won't see any other issues, only the ones they create, but they need to be able to see the project to use it.

It doesn't matter about the user's roles, groups or anything else. You're granting them the right to see issues in a project via the reporter permission, so they can see the project.

If there is only Current Assignee for Browse Projects, then why the user can see the projects which he is not related to?

Don't take in account (show only projects with create permission). I was compelled to try this rule.

I can't create a task for a non-related to the project user.

So why does the Current Assignee Rule give him a possibility to see ALL the projects?

"Reporter" permission works correctly, but it doesn't work mutually with Current Assignee permission for Browser Projects

Problem in Current Assignee permission

You are missing the point.

Again. It does not matter if the user is named in the projects. The combination of rights does not matter.

You have granted them the right to create issues and/or the right to be assigned issues by one route or another. Therefore they can see the project bercause they need the access in order to use those rights.

Yes, it does.

Unless someone has made significant modifications to the core of your Jira, the combination of rights is not having any effect.

Try testing them completely separately. You'll find the behaviour is coming entirely from one of them.

Edit Permissions — Default Permission Scheme

Add "Current Assignee" to Browse Projects

user "test" is not added to any role of the project or group. he can only login to jira

Why user "test" can see the ALL projects????

on page /secure/BrowseProjects.jspa#all

Because you've allowed the assignee to see the issues they are assigned to, so they see all the projects using that permission scheme.

I can not create a issue and assign that user "test". it is right.

so why does he see the projects on issues that can not work?

you understand. this user does not have projects.

Why Rule "Current Assignee" gives the ability to view full list of projects to the user who does not have any project?

on page /secure/BrowseProjects.jspa#all

ok. How can I make some users only see tasks that were created by them without Current Assignee rule?

help me

the solution not found

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Tuesday in Uncategorized

Friday fun: how many celebrates Midsummer holiday or is this a Swedish tradition only?

Any other country that celebrates Midsummer holiday (this friday 22 June)?  

34 views 3 1
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you