Granting Browse Project permission to 'Current Assignee', 'Reporter' or 'User Custom Field Value' allows all users to view Project information
Granting "Browse Project" permission to "Current Assignee" in a project's permission scheme allows all users to view project information, such as the project name, project key, etc.
This is caused by bugs:
- - JRA-31720Getting issue details... STATUS
- - JRA-34389Getting issue details... STATUS
- - JRA-37117Getting issue details... STATUS
How to restrict issues to only desired roles and groups:
If a Project is only relevant to a 'Group A':
- Add the 'Group A' to the Role(Users) and remove unrelated groups that shouldn't see the project.
Set Create and Browse permissions for Role(Users) instead of 'Current Assignee' or 'Reporter'
Use Issue level security to restrict viewing to Reporter or Assignee.
Result: only users in 'Group A' see the project and Browse only it's own Reported issues or Assigned issues
Step by step instructions to set Security Level at How to limit user to only browse issues assigned to or reported by them
To work around this issue with Assignee and Reporter, you may enable the optional "Assignee (show only projects with assignable permission)" security type. This security type allows you to restrict project browsing to "assignable" users (i.e. users which can have issues assigned to them) in a project permission scheme. You can use this security type instead of "Current Assignee" in your project permission schemes.
More information regarding the Reporter on Current Reporter Browse Project Permission
To do this:
- Edit the
Find the following code and uncomment all code in the <type> tag:
<!-- Uncomment & use this permission to show only projects where the user has the assignable permission and issues within that where they are the assignee --> <!-- This permission type should only ever be assigned to the "Browse Projects" permission. --> <!-- Other permissions can use the "reporter" or "create" permission type as appropriate. --> <!-- <type id="assigneeassignable" enterprise="true"> <class>com.atlassian.jira.security.type.CurrentAssigneeHasAssignablePermission</class> </type> -->
- Restart JIRA.
- Configure the permission scheme for the project, remove the "Browse Project" permission from "Current Assignee", and assign the "Browse Project" permission to "Assignee (show only projects with assignable permission)".