This documentation is meant to give an in-depth analysis of Configuring project specific security — allowing full access to all projects for internal users, and limited access to external users by using JIRA groups and a project permission schemes. It is also possible to use Project Roles, but in this case we did not.
The example is based on the Atlassian Project Permission documentation. While that documentation tells you everything you can do, we get a lot of questions about how exactly to set your system up to have two or more classes of users:
- Internal users (such as employees at your company) who have full permission
- External users (such as customer at your company) who have limited permission
Usually, though, in order to accomplish a security configuration which fits your company exactly, it will require a good amount of time, effort, and imagination on your part. At the moment JIRA is only able to support security at a project level or issue level. Currently there is no field level security available.
The first step for project level security is to define user groups. In this case a group called "external group" was created. All internal users will just be in the default "jira-users" group. In a default JIRA instance, when a user is created they will automatically be put into the jira-users group. Anyone who is external will have to be manually assigned to the external group and be removed from the jira-users group. There is no way to automatically assign users to certain groups without massive customizations to the JIRA environment. The reason for taking the approach of assigning all internal users to the jira-users group, is because this documentation is assuming that clients already have many internal users. Assigning a small group of users to one group as opposed to reassigning hundreds or thousands of users is easier.
If starting from scratch, it is better to define and assign groups new groups from the beginning. For example, an "internal group" as well as an external group. But, in this example we will just look at jira-users and the external group. See the group settings in the image below for more detail:
To get to this screen: go to Administration > Users, Groups & Roles > Group Browser.
Now make sure that the External Group is added to the global JIRA Users permission so that they have access to JIRA. All users must be in the global JIRA Users group in order to access JIRA. Note: The JIRA Users group is different from the jira-users group. JIRA Users is global while jira-users is group specific. See the image below for more detail.
To get to this screen: go to Administration > Global Settings > Global Permissions.
After creating the desired groups, separate permission schemes for each group need to be made. In the below image two schemes were created; an internal scheme and an external scheme. Obviously the internal scheme is for internal users and the external scheme is for external users. If your company has multiple users from multiple companies, you will need to make multiple schemes and groups for each project.
To get to this screen: go to Administration > Schemes > Permission Schemes.
After the schemes have been created, they must be tailored to meet your needs. For example: In the external scheme attach below, jira-users are given all permissions, while the External Group is given limited rights. Both groups must be present in this permission scheme to ensure that both internal users and external users have access to whichever project this scheme is assigned to. Only jira-users should be assigned to the Internal Scheme. See images below for more detail. Please note that in the External Permission Scheme the "Browse Projects" category has both jira-users and reporters (rather than External Group). This was done so external users can only see tickets they have created in the External Project and not others tickets. However, if "Reporter" is replaced with "External Group" then the External Group users will be able to view all tickets associated with the project..
To get to this screen: go to Administration > Schemes > Permission Schemes > Click on External Scheme.
To get to this screen: go to Administration > Schemes > Permission Schemes > Click on Internal Scheme.
Now assign the appropriate permission scheme to the appropriate project. For this example the internal scheme will be assigned to the the internal project and the external scheme will be assigned to the external project. See the images below for more detail:
To get to this screen: go to Administration > Project > Projects > Click on External Project.
To get to this screen: go to Administration > Project > Projects > Click on Internal Project.
Once the above steps have been completed create users and add them to the appropriate group as seen in the image below. Note: When users are created will automatically be created belonging to jira-users and External Group. THe administrator will be responsible for manually removing the users from groups that the user should not belong to.
To get to this screen: go to Administration > Users, Groups & Roles > User Browser.
If done correctly the internal employees(jira-users) will have access to all projects, while the external users will only have access to their projects. Feel free to download the XML backup of this example on your local test instance.
The sample file
- Please ensure you have backed up your existing JIRA instance
- You can download the JIRA helpdesk sample file here: ExampleSecurity.zip
- Restore the sample data file. You can learn how to restore a file here
User list and logins
- All user passwords are the same: admin
- The main username to login with is: admin
- Full JIRA admin rights
- Access to all projects
- Internal users are: internaluser
- These users are in the group: jira-users
- Access to both the Internal and External Projects and all issues.
- External users are: externaluser and jcostello
- These users are in the group: External Group
- Access to External Project and Issues Created only.