Configuring Issue-level Security

Issue security levels allow you to control who can see individual issues within a project (subject to the project's permissions).

An issue security level is a named collection of users. Issue security levels are created within issue security schemes, which are then associated with projects. Once an issue security scheme has been associated with a project, its security levels can be applied to issues in that project (note, sub-tasks will inherit the security level of their parent issue). Those issues will then only be accessible to members of that security level.

Note, if issue security levels are available but aren't set, the project permissions will then be applied.

A security level's members may consist of:

  • Individual users
  • Groups
  • Project roles
  • Issue roles such as 'Reporter', 'Project Lead', and 'Current Assignee'
  • 'Anyone' (eg. to allow anonymous access)
  • A (multi-)user picker custom field.
  • A (multi-)group picker custom field. This can either be an actual group picker custom field, or a (multi-)select-list whose values are group names.

Only users with the project-specific 'Set Issue Security' permission can apply a security level to an issue, regardless of whether they are members of the security level.

On this page:

Why use issue security levels?

As an example, a company may have a public instance of JIRA running. Within this instance they may have several projects that external people (customers) can browse. However, it may not be appropriate to show all issues to the customers. To achieve this you could:

  • Create an issue security scheme.
  • Create an issue security level named 'Private' for this scheme.
  • Add appropriate people to the 'Private' security level.
  • Associate the issue security scheme with the relevant projects.
  • Set the security level of specific issues to 'Private'.

Creating an issue security scheme

  1. Log in as a user with the JIRA Administrators global permission.
  2. Choose > Issues. Select Issue Security Schemes to open the Issue Security Schemes page, which lists all the issue security schemes currently available in your JIRA installation.
    (tick) Keyboard shortcut: g + g + start typing issue security schemes
  3. Click the Add Issue Security Scheme button.
    Screenshot 1: the 'Issue Security Schemes' page
  4. In the Add Issue Security Scheme form, enter a name for the issue security scheme, and a short description of the scheme. Then click the Add button.
  5. You will return to the Issue Security Schemes page, which now contains the newly added scheme.

Adding a security level to an issue security scheme

  1. Log in as a user with the JIRA Administrators global permission.
  2. Choose > Issues. Select Issue Security Schemes to open the Issue Security Schemes page, which lists all the issue security schemes currently available in your JIRA installation.
    (tick) Keyboard shortcut: g + g + start typing issue security schemes
  3. Click the name of any scheme, or the link Security Levels (in the Operations column) to open the Edit Issue Security Levels page.
  4. In the Add Security Level box, enter a name and description for your new security level and then click Add Security Level.
    Screenshot 2: the 'Edit Issue Security Levels' page

Setting more than 10 issue security levels can impact performance in JIRA.

Setting the Default Security Level for an issue security scheme

You can choose to specify a Default Security Level for your issue security scheme.

The Default Security Level is used when issues are created. If the reporter of an issue does not have the permission 'Set Issue Security', then the issue's security level will be set to the Default Security Level. If the project's issue security scheme does not have a Default Security Level, then the issue's security level will be set to 'None'. (A security level of 'None' means that anybody can see the issue.)

  1. Log in as a user with the JIRA Administrators global permission.
  2. Choose > Issues. Select Issue Security Schemes to open the Issue Security Schemes page, which lists all the issue security schemes currently available in your JIRA installation.
    (tick) Keyboard shortcut: g + g + start typing issue security schemes
  3. Click the name of any scheme or the link Security Levels to open the Edit Issue Security Levels page (above).
    • To set the 'default' security level for an issue security scheme, locate the appropriate Security Level and click its Default link (in the Operations column).
    • To remove the 'default' security level from an issue security scheme, click the 'Change default security level to "None"' link (near the top of the page).

Adding Users/Groups/Project Roles to a Security Level

  1. Log in as a user with the JIRA Administrators global permission.
  2. Choose > Issues. Select Issue Security Schemes to open the Issue Security Schemes page, which lists all the issue security schemes currently available in your JIRA installation.
    (tick) Keyboard shortcut: g + g + start typing issue security schemes
  3. Click the name of any scheme or the link Security Levels to open the Edit Issue Security Levels page (above).
  4. Locate the appropriate security level and click its Add link (in the Operations column), which opens the Add User/Group/Project Role to Issue Security Level page.
  5. Select the appropriate user, group or project role, then click the Add button.
  6. Repeat steps 4 and 5 until all appropriate users and/or groups and/or project roles have been added to the security level.

Assigning an issue security scheme to a project

  1. Log in as a user with the JIRA Administrators global permission.
  2. Choose > Projects. Select the name of the project of interest. The Project Summary page is displayed.
    (tick) Keyboard shortcut: g + g + start typing projects
  3. In the Permissions section of the Project Summary page, click the link corresponding to the Issues label to open the Associate Issue Security Scheme to Project page.
    (info) This will either be the name of the project's current issue security scheme, or the word None.
  4. Select the issue security scheme that you want to associate with this project.
  5. If there are no previously secured issues (or if the project did not previously have an issue security scheme), skip the next step.
  6. If there are any previously secured issues, select a new security level to replace each old level. All issues with the security level from the old scheme will now have the security level from the new scheme. You can choose 'None' if you want the security to be removed from all previously secured issues.
  7. Click the 'Associate' button to associate the project with the issue security scheme.

    If the Security Level field is not displayed on the issue's screen after configuring the Issue-Level Security, use the Where is My Field? tool to see why it is not being displayed.

    If the Security Level field has been hidden on purpose, please see the limitations of doing so in Hiding or showing a field.

Deleting an issue security scheme

  1. Log in as a user with the JIRA Administrators global permission.
  2. Choose > Issues. Select Issue Security Schemes to open the Issue Security Schemes page, which lists all the issue security schemes currently available in your JIRA installation.
    (tick) Keyboard shortcut: g + g + start typing issue security schemes
  3. Click the Delete link (in the Operations column) for the scheme that you want to delete.
    (info) You cannot delete a issue security scheme if it is associated with a project. To do so, you must first remove any associations between the issue security scheme and projects in your JIRA installation — please refer to Assigning an Issue Security Scheme.
  4. On the confirmation page, click Delete to confirm the deletion. Otherwise, click Cancel.

Copying an issue security scheme

  1. Log in as a user with the JIRA Administrators global permission.
  2. Choose > Issues. Select Issue Security Schemes to open the Issue Security Schemes page, which lists all the issue security schemes currently available in your JIRA installation.
    (tick) Keyboard shortcut: g + g + start typing issue security schemes
  3. Click the Copy link (in the Operations column) for the scheme that you want to copy. A new scheme will be created with the same security levels and the same users/groups/project roles assigned to them.
    (info) Your new scheme will be called 'Copy of ...'. You can edit your new scheme to give it a different name if you wish.

This table lists the different global permissions and the functions they secure:

Global Permission

Explanation

JIRA System Administrators

Permission to perform all JIRA administration functions.
(warning) The number of users that count towards your JIRA license is the sum of all users (including users in groups) that have the JIRA System Administrators permission, even if they do not also have the JIRA Administrators or JIRA Users permissions. A user with JIRA System Administrators will be able to log in to JIRA without the JIRA Users permission, but may not be able to perform all regular user functions (e.g. edit their profile) unless they also belong to a group that has the JIRA Users permission.

JIRA Administrators

Permission to perform most JIRA administration functions.
(warning) The number of users that count towards your JIRA license is the sum of all users (including users in groups) that have the JIRA Administrators permission, even if they do not also have the JIRA System Administrators or JIRA Users permissions. A user with JIRA Administrators will be able to log in to JIRA without the JIRA Users permission, but may not be able to perform all regular user functions (e.g. edit their profile) unless they also belong to a group that has the JIRA Users permission.

JIRA Users

Permission to log in to JIRA.
(warning)  The number of users that count towards your JIRA license is the sum of all users (including users in groups) that have this permission. If you want to reduce this count, see Updating your JIRA License Details.
(info) Granting the JIRA Users permission to a group results in all newly created users being automatically added to that group. The exception to this are groups that also have either the JIRA System Administrators or JIRA Administrators permissions, since JIRA prevents groups with these administrative-level global permissions from being granted the JIRA Users permission. Furthermore, it would be unwise to automatically grant these administrative-level global permissions to all new users.

Browse Users

Permission to view a list of all JIRA user names and group names. Used for selecting users/groups in popup screens. Enables auto-completion of user names in most 'User Picker' menus and popups.

Note that the Assign User permissions also allows a limited version of this on a per-project basis.

Create Shared Objects

Manage Group Filter Subscriptions

Permission to manage (create and delete) group filter subscriptions.

Bulk Change

Permission to execute the bulk operations within JIRA:
- Bulk Edit *
- Bulk Move *
- Bulk Workflow Transition
- Bulk Delete *
( * subject to project-specific permissions.)

(warning) The decision to grant the Bulk Change permission should be considered carefully. This permission grants users the ability to modify a collection of issues at once. For example, in JIRA installations configured to run in Public mode (i.e. anybody can sign up and create issues), a user with the Bulk Change global permission and the Add Comments project permission could comment on all accessible issues. Undoing such modifications may not be possible through the JIRA application interface and may require changes made directly against the database (which is not recommended).

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport