How to restrict project access for teams in Jira Cloud
Since Jira is usually shared by different teams, it's common to have the need to restrict project access. Here we'll illustrate how to restrict project access so that each group can only access their corresponding project in Jira Cloud.
Before restricting access, there are three concepts that are important to understand: permission schemes, groups, and project roles. We'll then use these to restrict access to projects.
The permission scheme (Jira settings > Issues > Permission schemes) dictates all the permissions in the projects it's associated with. To be able to access a project and view its issues, you need the Browse Projects permission on the permission scheme associated with the project.
See Managing project permissions for more information.
Groups are global, meaning that if you're a member of a group like administrators, you're a member of the group for all of Jira. You can create and manage groups at Jira settings > User management > Groups.
If only users of the group Teams-in-Space should have access to the Teams In Space project, you need to make sure that that group—and no other group—has Browse Projects permission on the permission scheme associated with the project.
See Create and update groups for more information.
Project roles work like groups, but they're not global. The membership of project roles is defined in the project settings and is valid only for that project.
To create a new project role, go to Jira settings > System > Project roles. To configure project role membership, go to a project and choose Project settings > People.
See Managing project roles for more information.
We're going to use a scenario to demonstrate how this works. We have three projects: Teams in Space (TIS), Human Resources (HR), and Technical Crew (TC).
In our example we also have 3 groups: Human-Resources, Teams-in-Space, and Technical-Crew. Each group should only be able to access their corresponding project. By using project roles as well as groups to achieve this, we'll only need to use one permission scheme.
Create groups if you don't have any
If you already have a group or groups set up, you can skip this step. If not, you'll need at least one group to assign to our project role later on. You need to be an Atlassian Cloud site admin to create groups. If you're not a site admin, ask your site admin to set up any groups you need.
To create groups:
- Go to Jira settings > User management > Groups.
- Choose Create group, give the group a name and choose Create group.
- Click Add to add people to your group.
- Add people (you can add multiple people) and choose Add user.
Configure the permission scheme
Create a project role
We're going to create a new project role and call it "Browse". This is the project role that's going to grant our groups access to the projects.
- Go to Jira settings > System > Project roles.
- At the bottom of the page, add a Name and Description and choose Add project role (You can use an existing project role if you like. We're creating a new one for clarity, though).
Add the project role to the Browse Projects permission
- Go to Jira settings > Issues > Permission schemes
- Choose Permissions for the Default Permission Scheme (or the permission scheme being used for the projects).
- Click Edit, choose Project Role, and select the Browse project role we previously created.
- Click Grant.
We now have a permission scheme with the Browse project role configured for the Browse project permission.
Remove browse projects permission for Any logged in user
If you don't complete this step, any logged in user will still be able to access all projects associated with that permission scheme.
- Choose Remove next to the Browse Projects permission
- Select Application access - Any logged in user
- Click Remove
Add the group to the project role
At this point, all users have lost access to the projects. We're now going to add the groups to the appropriate project role to give them access again. As we've explained before, the membership of project roles is only valid for that project.
Now it's time to go to the People settings of each project and add the corresponding group to the Browse project role.
For example, for the Teams in Space project we would:
Go to Project settings > People
Choose Add people
Start typing "Teams-In-Space" then select the group
Choose the Browse project role and click Add
Now, all users of the Teams-In-Space group have access to the Teams in Space project. Repeat this for the other projects, choosing the appropriate group in each project.
All the steps listed in this KB are available in the video below:
If you need any help implementing this on your site, you can always check our documentation and get in touch with our support team!