Managing global permissions
This table lists the different global permissions and the functions they secure:
Global permission | Explanation |
|---|---|
Jira System administrators | Permission to perform all Jira administration functions. |
Jira administrators | Permission to perform most Jira administration functions. Note that a user with the Jira administrators permission will be able to log in at any time, but may have restricted functions depending on their application access. |
Browse users | Permission to view a list of all Jira user names and group names, share issues, and @mention people on issues. Used for selecting users/groups in popup screens. Enables auto-completion of user names in most 'User Picker' menus and popups. Note that the Assign user permissions also allows a limited version of this on a per-project basis. |
Create shared objects | Permission to share a filter or dashboard globally or with groups of users. Also used to control who can create an agile board. |
Manage group filter subscriptions | Permission to manage (create and delete) group filter subscriptions. |
Bulk change | Permission to execute the bulk operations within Jira: |
Granting global permissions
- In the upper-right corner of the screen, select Administration
> System. - Under Security (the left-side panel), select Global permissions to open the Global Permissions page, which lists Jira's global permissions.
The Add permission box is shown at the bottom of the list (not displayed in the screen capture above). - In the Permission drop-down list, select the global permission you wish to grant.
- In the Group drop-down list, either:
- select the group to which you wish to grant the permission; or
if you wish to grant the permission to non logged-in users, select Anyone on the web. This is not recommended for production systems, or systems that can be accessed from the public Internet such as Cloud.
If you have reached your user limit, you will be able to create new users but it won't have login permission.
- Jira admin doesn't consume a license unless they've been granted specific Jira application access. See Licensing and application access.
Removing global permissions
- In the upper-right corner of the screen, select Administration > System.
- Under Security (the left-side panel), select Global permissions to open the Global Permissions page, which lists Jira's global permissions.
- For each global permission in Jira (indicated on the left of this page), groups which currently have that permission are shown on the right (under the Users / Groups column).
- Locate the global permission you want to remove from a group as well as the group you want to remove that permission from (under Users / Groups) and click the Delete link next to that group.
About Jira System administrators and Jira administrators
People who have the Jira System admins permission can perform all of the administration functions in Jira, while people who have only the Jira admins permission cannot perform functions which could affect the application environment or network. This separation is useful for organizations which need to delegate some administrative privileges (e.g. creating users, creating projects) to particular people, without granting them complete rights to administer the Jira system.
Here is a list of administration tasks that only Jira System administrators (not Jira administrators) can perform:
- View or manage tasks from the the Systems menu.
- Configure Jira's SMTP mail server for notifications (but they can configure POP/IMAP mail servers for the receipt of email messages that create issue comments and new issues, and fully administer email notification schemes).
- Configure a CVS source code repository (but they can associate a project with a configured repository).
- Configure listeners.
- Configure services (except for POP/IMAP services).
- Configure issue cloning.
- Change the index path (but they can reindex and optimize the index).
- Run the integrity checker.
- Access logging and profiling information.
- Access the scheduler.
- Export/backup Jira data to .
- Import/restore Jira data from .
- Import workflows into Jira.
- Configure attachments (note that Jira administrators can set the size limits of attachments, enable thumbnails, and enable ZIP support).
- Add gadgets to the gadget directory.
- Configure user directories (e.g. ).
- Configure Application Links that use an authentication type other than OAuth.
- View user sessions.
- Access license details.
- Grant/revoke the Jira System administrators global permission.
- Edit (or Bulk Edit) groups that have the Jira System administrators global permission.
- Edit, change the password of or delete a user who has the Jira System administrators global permission.
- Upload and/or install an app.
- Configure an announcement banner.
It is recommended that people who have the Jira administrators permission (and not the Jira System administrators permission) are not given direct access to the Jira filesystem or database.
Separating Jira System administrators from Jira administrators in default Jira installations
By default, the jira-administrators groups has both the Jira administrators permission and the Jira System administrators permission. Also by default, the user account created during the Jira setup wizard is a member of this jira-administrators group.
If you need some people to have only the Jira administrators permission (and not the Jira System administrators permission), you will need to use two separate groups, e.g.:
- Create a new group (e.g. called
jira-system-administrators). - Add to the
jira-system-administratorsgroup everyone who needs to have the Jira System administrators permission. - Grant the Jira System administrators permission to the
jira-system-administratorsgroup. - Remove the Jira System administrators permission from the
jira-administratorsgroup. - (Optional, but recommended for ease of maintenance) Remove from the
jira-administratorsgroup everyone who is a member of thejira-system-administratorsgroup.
Troubleshooting permissions with the Jira admin helper
The Jira admin helper can help you diagnose why a user can or cannot see a certain issue.
For all of the following procedures, you must be logged in as a user with the Jira administrators global permission.
To open admin helper:
- In the upper-right corner of the screen, select Administration > System.
- Under Permission helper (the left-side panel), select Permission helper.
- Enter the username of the user (leave blank for anonymous users), an issue key (for example, an issue that the user can/cannot see) and the permission to check.
- Select Submit.