Documentation for JIRA 6.3 EAP developer (EAP) releases only. Not using this? See below:
(JIRA 6.2.x documentation | JIRA OnDemand documentation | earlier versions of JIRA)

Skip to end of metadata
Go to start of metadata

Issue security levels allow you to control who can see individual issues within a project (subject to the project's permissions).

An issue security level is a named collection of users. Issue security levels are created within issue security schemes, which are then associated with projects. Once an issue security scheme has been associated with a project, its security levels can be applied to issues in that project (note, sub-tasks will inherit the security level of their parent issue). Those issues will then only be accessible to members of that security level.

A security level's members may consist of:

  • Individual users
  • Groups
  • Project roles
  • Issue roles such as 'Reporter', 'Project Lead', and 'Current Assignee'
  • 'Anyone' (eg. to allow anonymous access)
  • A (multi-)user picker custom field.
  • A (multi-)group picker custom field. This can either be an actual group picker custom field, or a (multi-)select-list whose values are group names.
Icon

Only users with the project-specific 'Set Issue Security' permission can apply a security level to an issue, regardless of whether they are members of the security level.

On this page:

 

Why use issue security levels?

As an example, a company may have a public instance of JIRA running. Within this instance they may have several projects that external people (customers) can browse. However, it may not be appropriate to show all issues to the customers. To achieve this you could:

  • Create an issue security scheme.
  • Create an issue security level named 'Private' for this scheme.
  • Add appropriate people to the 'Private' security level.
  • Associate the issue security scheme with the relevant projects.
  • Set the security level of specific issues to 'Private'.

Creating an issue security scheme

  1. Log in as a user with the JIRA Administrators global permission.
  2. Choose > Issues. Select Issue Security Schemes to open the Issue Security Schemes page, which lists all the issue security schemes currently available in your JIRA installation.
    (tick) Keyboard shortcut: g + g + start typing issue security schemes
  3. Click the Add Issue Security Scheme button.
    Screenshot 1: the 'Issue Security Schemes' page
  4. In the Add Issue Security Scheme form, enter a name for the issue security scheme, and a short description of the scheme. Then click the Add button.
  5. You will return to the Issue Security Schemes page, which now contains the newly added scheme.

Adding a security level to an issue security scheme

  1. Log in as a user with the JIRA Administrators global permission.
  2. Choose > Issues. Select Issue Security Schemes to open the Issue Security Schemes page, which lists all the issue security schemes currently available in your JIRA installation.
    (tick) Keyboard shortcut: g + g + start typing issue security schemes
  3. Click the name of any scheme, or the link Security Levels (in the Operations column) to open the Edit Issue Security Levels page.
  4. In the Add Security Level box, enter a name and description for your new security level and then click Add Security Level.
    Screenshot 2: the 'Edit Issue Security Levels' page

Setting the Default Security Level for an issue security scheme

You can choose to specify a Default Security Level for your issue security scheme.

The Default Security Level is used when issues are created. If the reporter of an issue does not have the permission 'Set Issue Security', then the issue's security level will be set to the Default Security Level. If the project's issue security scheme does not have a Default Security Level, then the issue's security level will be set to 'None'. (A security level of 'None' means that anybody can see the issue.)

  1. Log in as a user with the JIRA Administrators global permission.
  2. Choose > Issues. Select Issue Security Schemes to open the Issue Security Schemes page, which lists all the issue security schemes currently available in your JIRA installation.
    (tick) Keyboard shortcut: g + g + start typing issue security schemes
  3. Click the name of any scheme or the link Security Levels to open the Edit Issue Security Levels page (above).
    • To set the 'default' security level for an issue security scheme, locate the appropriate Security Level and click its Default link (in the Operations column).
    • To remove the 'default' security level from an issue security scheme, click the 'Change default security level to "None"' link (near the top of the page).

Adding Users/Groups/Project Roles to a Security Level

  1. Log in as a user with the JIRA Administrators global permission.
  2. Choose > Issues. Select Issue Security Schemes to open the Issue Security Schemes page, which lists all the issue security schemes currently available in your JIRA installation.
    (tick) Keyboard shortcut: g + g + start typing issue security schemes
  3. Click the name of any scheme or the link Security Levels to open the Edit Issue Security Levels page (above).
  4. Locate the appropriate security level and click its Add link (in the Operations column), which opens the Add User/Group/Project Role to Issue Security Level page.
  5. Select the appropriate user, group or project role, then click the Add button.
  6. Repeat steps 4 and 5 until all appropriate users and/or groups and/or project roles have been added to the security level.

Assigning an issue security scheme to a project

  1. Log in as a user with the JIRA Administrators global permission.
  2. Choose > Projects. Select the name of the project of interest. The Project Summary page is displayed.
    (tick) Keyboard shortcut: g + g + start typing projects
  3. In the Permissions section of the Project Summary page, click the link corresponding to the Issues label to open the Associate Issue Security Scheme to Project page.
    (info) This will either be the name of the project's current issue security scheme, or the word None.
  4. Select the issue security scheme that you want to associate with this project.
  5. If there are no previously secured issues (or if the project did not previously have an issue security scheme), skip the next step.
  6. If there are any previously secured issues, select a new security level to replace each old level. All issues with the security level from the old scheme will now have the security level from the new scheme. You can choose 'None' if you want the security to be removed from all previously secured issues.
  7. Click the 'Associate' button to associate the project with the issue security scheme.

    Icon

    If the Security Level field is not displayed on the issue's screen after configuring the Issue-Level Security, use the Where is My Field? tool to see why it is not being displayed.

    If the Security Level field has been hidden on purpose, please see the limitations of doing so in Hiding or showing a field.

Deleting an issue security scheme

  1. Log in as a user with the JIRA Administrators global permission.
  2. Choose > Issues. Select Issue Security Schemes to open the Issue Security Schemes page, which lists all the issue security schemes currently available in your JIRA installation.
    (tick) Keyboard shortcut: g + g + start typing issue security schemes
  3. Click the Delete link (in the Operations column) for the scheme that you want to delete.
    (info) You cannot delete a issue security scheme if it is associated with a project. To do so, you must first remove any associations between the issue security scheme and projects in your JIRA installation — please refer to Assigning an Issue Security Scheme.
  4. On the confirmation page, click Delete to confirm the deletion. Otherwise, click Cancel.

Copying an issue security scheme

  1. Log in as a user with the JIRA Administrators global permission.
  2. Choose > Issues. Select Issue Security Schemes to open the Issue Security Schemes page, which lists all the issue security schemes currently available in your JIRA installation.
    (tick) Keyboard shortcut: g + g + start typing issue security schemes
  3. Click the Copy link (in the Operations column) for the scheme that you want to copy. A new scheme will be created with the same security levels and the same users/groups/project roles assigned to them.
    (info) Your new scheme will be called 'Copy of ...'. You can edit your new scheme to give it a different name if you wish.

This table lists the different global permissions and the functions they secure:

Global Permission

Explanation

JIRA System Administrators

Permission to perform all JIRA administration functions.
(warning) The number of users that count towards your JIRA license is the sum of all users (including users in groups) that have the JIRA System Administrators permission, even if they do not also have the JIRA Administrators or JIRA Users permissions. A user with JIRA System Administrators will be able to log in to JIRA without the JIRA Users permission, but may not be able to perform all regular user functions (e.g. edit their profile) unless they also belong to a group that has the JIRA Users permission.

JIRA Administrators

Permission to perform most JIRA administration functions (see list of exclusions below).
(warning) The number of users that count towards your JIRA license is the sum of all users (including users in groups) that have the JIRA Administrators permission, even if they do not also have the JIRA System Administrators or JIRA Users permissions. A user with JIRA Administrators will be able to log in to JIRA without the JIRA Users permission, but may not be able to perform all regular user functions (e.g. edit their profile) unless they also belong to a group that has the JIRA Users permission.

JIRA Users

Permission to log in to JIRA.
(warning)  The number of users that count towards your JIRA license is the sum of all users (including users in groups) that have this permission. If you want to reduce this count, see Updating your JIRA License Details.
(info) Granting the JIRA Users permission to a group results in all newly created users being automatically added to that group. The exception to this are groups that also have either the JIRA System Administrators or JIRA Administrators permissions, since JIRA prevents groups with these administrative-level global permissions from being granted the JIRA Users permission. Furthermore, it would be unwise to automatically grant these administrative-level global permissions to all new users.

Browse Users

Permission to view a list of all JIRA user names and group names. Used for selecting users/groups in popup screens. Enables auto-completion of user names in most 'User Picker' menus and popups.

Note that the Assign User permissions also allows a limited version of this on a per-project basis.

Create Shared Objects

Manage Group Filter Subscriptions

Permission to manage (create and delete) group filter subscriptions.

Bulk Change

Permission to execute the bulk operations within JIRA:
- Bulk Edit *
- Bulk Move *
- Bulk Workflow Transition
- Bulk Delete *
( * subject to project-specific permissions.)

(warning) The decision to grant the Bulk Change permission should be considered carefully. This permission grants users the ability to modify a collection of issues at once. For example, in JIRA installations configured to run in Public mode (i.e. anybody can sign up and create issues), a user with the Bulk Change global permission and the Add Comments project permission could comment on all accessible issues. Undoing such modifications may not be possible through the JIRA application interface and may require changes made directly against the database (which is not recommended).

10 Comments

  1. Anonymous

    How can one set the security level of an issue to the group that the user belongs to by default?

    1. Anonymous

      I was asking myself the same question, and I found an answer in the JIRA bug database...

      A request has been already made (a long time ago).  There seems to be a work-around or two available in the issue history, but I haven't tried them myself. See https://jira.atlassian.com/browse/JRA-5276

      Hope that helps.

      -Brent

  2. Anonymous

    Install plugin JIRA Misc Workflow Extensions and add Post-function "Set Issue security from user role"

  3. Anonymous

    How I can I assign permissions to users so they can report only allowed issue types and not all types of issues?

    In other words. How to assign permissions to issue types?

    Thanks.

  4. The first note in this page says:

    Icon

    Only users with the project-specific 'Set Issue Security' permission can apply a security level to an issue, regardless of whether they are members of the security level.

    I'm looking for exactly this option: have someone (that has the permission to set "Issue Security") assign an issue to a security level to which s/he DOESN'T belong.

    1. Is this possible? (I haven't found it in my 5.1.3 JIRA version)
    2. If yes: how and what to configure to get this to work?

    This would greatly simplify our current way of working. (we have different projects for each team to resolve their issues)

  5. Anonymous

    Hello,

    ¿It's possible to assign more than one security level on an issue?

    Thanks

  6. Is it possible to limit a user to see only the issues he created within a project?

  7. Hi all,

    We are intending to use JIRA as a Support System but we just found a problem concerning Issue Security Level and Issue Navigator that we think it could be a bug.

    We followed the instructions provided by Atlassian in order to configure Project Security and Issue Level Security. We created a permission scheme with one security level (activated by default) and added the Reporter issue role and an internal group as the only role/groups having permissions to see the issues. Additionally, we added the Browse Projects permission to that group and Reporter role too.

    All of that works like a charm when we talk about users belonging to JIRA Local Directory. However, if an user whose account is in a Microsoft Active Directory creates an issue, he can browse the issue directly but he can’t see it in the Issue Navigator instead. How is it possible?

    So, in brief, it seems there is an abnormal behaviour when Issue Security Level is applied and a user whose account is in an external user repository tries to see, through the Issue Navigator, the issues reported by himself.

    Any ideas?

  8. Hi

    I am setting issue security level on "create issue" transition by using a post-function (copy parsed text to Security Level field). This allows me to set different issue seucrity levels for issue types using different workflows. It seems though that issues moved to our project from other projects are created without triggering "create issue" associated post-functions.

    • Is this the expected behavior ? 
    • If I configure a default security level, is it applied to moved issues ?

    Thanks

  9. Hi, I'm trying to Build a SQL query that loads an reference table that Identifies a user to an issue if they can see that Issue. I'm havign quite a problem building it. Are there any JIRA developers who could help me with this?