Managing access to your service project
Go to Project settings > Customer permissions to choose who can raise requests in your service desk and who your customers can share requests with.
On this page:
Choose who can raise requests
People need to be customers to raise requests in your service desk. You can let your team control who becomes a customer, or let customers create their own accounts in your service desk.
In addition to the below options, you can also restrict access to request types to control who can raise a specific request type to make sure that requests get routed to the appropriate channels. More about restricting request types
Who can raise requests | Description |
---|---|
Customers who are added to the project | Your team adds customers to the project via the Customers page, or by raising requests on their behalf. |
People with accounts on your Jira site are automatically added to the Customers list and can raise requests. | |
Anyone can email the service project or raise a request in the portal |
If this option is disabled, then your Jira administrator has not turned on public signup for service desks on this Jira site. Learn more about enabling public signup When you choose this option, you have no control over who can create an account and raise requests. We strongly recommend that you use the Customers who have an account on this Jira site option instead, unless the requirement for a Jira account won’t work for your use case. |
Choose who customers can share requests with
You can allow customers to share requests with their organizations, Jira groups they're part of, anyone in the service desk, or people who aren't customers yet. The people customers share with become participants in the request. Request participants can comment on and share requests, and receive the same notifications from Jira Service Desk as the reporter. Learn more about request participants
The following table describes the ways customers can share requests:
Who customers can share with | Description |
---|---|
Other customers in their organization |
|
Any customer, by typing an email address | Customers can share requests with other customers in their organization (like in the option above), and also:
|
Any customer or organization, by searching in this project |
If your service project uses user picker custom fields, such as the Approvers field, choose this setting to make sure customers can select users. |
Choose whether customers can share requests with groups
Agents and project admins can share requests with Jira groups added as customers of the service project in the issue view. Project admins can choose to extend this sharing capability to help-seekers, allowing them to share requests with Jira groups they’re part of from the customer portal without additional permission management.
To allow sharing with groups, select the Allow sharing with customer groups added to this project checkbox under Can customers share requests with groups?
Choose whether customers can vote for requests
You can allow customers to vote for requests directly in the customer portal. This lets them cast their votes for requests they'd like to see done without having user accounts on your Jira instance.
To enable voting in the portal, you need to have global voting enabled for your Jira instance.
The following table describes different options for this setting:
Can customers vote in the portal? | Description |
---|---|
Yes, any customer with portal access can vote directly in the portal | Customers will see an extra option to vote when they view a request in the portal. They can then add their vote or remove it. |
No, customers can't vote directly in the portal | If the global voting is enabled, users with accounts on your Jira instance will still be able to vote for requests if they view them directly in Jira. Customers might not have such accounts, so this option will essentially limit voting to your agents. |
Which settings are best for my team?
Not sure how to set up permissions for your team? Here are some suggestions for how to make customer permissions work for you:
If you're like this | Who can raise requests | Who customers can share with | Can customers vote? |
---|---|---|---|
You have a service project that handles contractors' leave requests. Only contractors can use the service project, and you don't want non-contractors to get confused about where to request leave. | Customers who are added to the project | Other customers in their organization | No, as contractors probably don't need to vote for their leave requests. |
Your company has an IT service desk, and you want all employees to be able to create their own accounts and email requests. | Customers who have an account on this Jira site | Any customer or organization, by searching in this project | No, if your team is mostly handling requests for individual employees, such as "I need a new monitor". Yes, if your team is handling requests for general improvements. For example, employees could vote for what they'd like to be added to their office. |
Your team provides software support for individuals. For example, if your company makes a free SAAS application that individuals use to manage finances, you can let your customers email bugs and questions to your service project email channel. | Anyone can email the service project or raise a request in the portal | Any customer, by typing an email address | Yes, it might be useful for individuals to vote for bugs or requests they'd like to see fixed first. |
Security advice: Choosing who can raise requests
This is security advice regarding the option Who can raise requests.
When allowing anyone to create and raise requests, we strongly recommend that you use a separate domain for your incoming email account and configure this account to filter against automatic emails by blocking the addresses with a local-part, such as “no-reply”, “support”, “servicedesk”, and so on.
Reason
Configuring your Jira Service Management instance using an incoming email address with a domain at your company level can result in bad actors abusing the system to gain access to restricted services.
Example
For example, assume that your domain is http://mycompany.com
, and you have set up a customer portal with an incoming email support@mycompany.com
, allowing anyone to create and raise requests. Now, let’s say a bad actor is trying to gain access to teamsinspace.com
for which your company already has an account (e.g. admin@mycompany.com
).
If the bad actor creates a new ticket in your customer portal and adds no-reply@teamsinspace.com
as a participant, they can now go to teamsinspace.com
and open an account for support@mycompany.com
and provide a team name including the ticket number. Since teamsinspace.com
includes the team name in their confirmation emails (and other websites might include other details), such an email will be sent to your incoming email address in Jira Service Management, and added as a comment to the ticket. By clicking on the confirmation email, the bad actor could open an account on teamsinspace.com
on behalf of your company.
Mitigating this issue
Using a separate domain or sub-domain dedicated for your customer portal will help prevent this as long as you make sure to not sign up to services using that domain. What’s more, adding filters against automatic emails (e.g. “no-reply”) at the incoming email account level will further help mitigate the issue because no-reply emails will be blocked.