Managing global permissions
This table lists the different global permissions and the functions they secure:
Global permission | Explanation |
|---|---|
Jira System administrators | Permission to perform all Jira administration functions. |
Jira administrators | Permission to perform most Jira administration functions. Note that a user with the Jira administrators permission will be able to log in at any time, but may have restricted functions depending on their application access. |
Browse users and groups | Permission to view a list of all Jira user names and group names in user picker menus and pop-up screens. It also enables you to @mention people on issues, as mentioning users works the same way as selecting them in a user picker. There's a feature flag ( Note that the Assign user permissions also allows for limited, per-project control of this permission. |
Create shared objects | Permission to share a filter or dashboard globally or with groups of users. Also used to control who can create an agile board. |
Manage group filter subscriptions | Permission to manage (create and delete) group filter subscriptions. |
Bulk change | Permission to execute the bulk operations within Jira: |
Granting global permissions
- In the upper-right corner of the screen, select Administration
, then System. - Under Security (the left-side panel), select Global permissions to open the Global Permissions page, which lists Jira's global permissions.
The Add permission box is shown at the bottom of the list (not displayed in the screen capture above). - In the Permission drop-down list, select the global permission you wish to grant.
- In the Group drop-down list, either:
- select the group to which you wish to grant the permission; or
if you wish to grant the permission to non logged-in users, select Anyone on the web. This is not recommended for production systems, or systems that can be accessed from the public Internet such as Cloud.
If you have reached your user limit, you will be able to create new users but it won't have login permission.
- Jira admin doesn't consume a license unless they've been granted specific Jira application access. See Licensing and application access.
Removing global permissions
- In the upper-right corner of the screen, select Administration, then System.
- Under Security (the left-side panel), select Global permissions to open the Global Permissions page, which lists Jira's global permissions.
- For each global permission in Jira (indicated on the left of this page), groups which currently have that permission are shown on the right (under the Users / Groups column).
- Locate the global permission you want to remove from a group as well as the group you want to remove that permission from (under Users / Groups) and click the Delete link next to that group.
About Jira System administrators and Jira administrators
People who have the Jira System admins permission can perform all of the administration functions in Jira, while people who have only the Jira admins permission cannot perform functions which could affect the application environment or network. This separation is useful for organizations which need to delegate some administrative privileges, such as creating users or creating projects, to particular people, without granting them complete rights to administer the Jira system.
Here is a list of administration tasks that only Jira System administrators (not Jira administrators) can perform:
- View or manage tasks from the the Systems menu.
- Configure Jira's SMTP mail server for notifications (but Jira administrators can configure POP/IMAP mail servers for the receipt of email messages that create issue comments and new issues, and fully administer email notification schemes).
Customize email templates.
- Configure a CVS source code repository (but they can associate a project with a configured repository).
- Configure listeners.
- Configure services (except for POP/IMAP services).
- Configure issue cloning.
- Change the index path (but they can reindex and optimize the index).
- Access logging and profiling information.
- Access the scheduler.
- Export/backup Jira data to .
- Import/restore Jira data from .
- Import workflows into Jira.
- Configure attachments (note that Jira administrators can set the size limits of attachments, enable thumbnails, and enable ZIP support).
- Add gadgets to the gadget directory.
- Configure user directories (e.g. ).
- Configure Application Links that use an authentication type other than OAuth.
- View user sessions.
- Access license details.
- Grant/revoke the Jira System administrators global permission.
- Edit (or Bulk Edit) groups that have the Jira System administrators global permission.
- Edit, change the password of or delete a user who has the Jira System administrators global permission.
- Upload and/or install an app.
- Configure an announcement banner.
Configure index settings on OpenSearch.
Enable and disable external user management.
Display URL parameters in security dialogs.
Set the number of index snapshots.
New properties that allow you to apply stricter global permissions for the following features. All properties are disabled by default:
Changing JMX settings.
Enabling and disabling certain dark features.
Loading recovery indexes from the Jira home directory.
It is recommended that people who have the Jira administrators permission (and not the Jira System administrators permission) are not given direct access to the Jira filesystem or database.
Stricter global permissions
In Jira 11.2, the stricter permissions are opt-in, but they'll become opt-out in a future major version of Jira Data Center.
Starting from Jira 11.2, we’ve clarified the distinction between the global administrative permissions: Jira administrator and Jira System administrator and introduced new application properties. You can use them to ensure that only users with the highest level of administrative access can perform sensitive operations.
System administrators can update these properties in the advanced settings in Jira. By default, they’re set to false and let you opt in to the updated role requirements at your own pace. You can test them by setting the property value to true. Enable each property individually to apply stricter permissions.
Feature | New permission | Property |
|---|---|---|
Only Jira System administrator can manage JMX settings. |
| |
Enabling or disabling certain dark features that impact security, infrastructure, core configuration, or expose sensitive system-level data. | Only Jira System Administrator role can manage dark features. |
|
Loading recovery indexes from Jira home directory. Currently, it's possible to load recovery indexes from an absolute path, including locations on the local file system. To align with the approach used for backup and restore, you can require that recovery indexes are loaded only from the Jira home directory. | Only allow loading an index from a path relative to Jira home. |
|
Separating Jira System administrators from Jira administrators in default Jira installations
Starting with Jira 11.2, fresh Jira installations include two separate groups by default: jira-administrators and jira-system-administrators. The initial admin account is a member of both groups. The jira-administrators group now grants only regular administrator permissions, while the jira-system-administrators group grants system administrator permissions.
If you need some people to have only the Jira administrators permission (and not the Jira System administrators permission), you will need to use two separate groups, for example:
- Create a new group (for example, called
jira-system-administrators). - Add to the
jira-system-administratorsgroup everyone who needs to have the Jira System administrators permission. - Grant the Jira System administrators permission to the
jira-system-administratorsgroup. - Remove the Jira System administrators permission from the
jira-administratorsgroup. - (Optional, but recommended for ease of maintenance) Remove from the
jira-administratorsgroup anyone who is a member of thejira-system-administratorsgroup.
Troubleshooting permissions with the Jira admin helper
The Jira admin helper can help you diagnose why a user can or cannot see a certain issue.
For all of the following procedures, you must be logged in as a user with the Jira administrators global permission.
To open admin helper:
- In the upper-right corner of the screen, select Administration, then System.
- Under Permission helper (the left-side panel), select Permission helper.
- Enter the username of the user (leave blank for anonymous users), an issue key (for example, an issue that the user can/cannot see) and the permission to check.
- Select Submit.