How to limit or restrict a user's project access in Jira server
Quick InfoIn this document, we will show you how to secure projects between teams by replacing the default project role and group mapping with groups that include only members of specific teams.
This article is intended for JIRA Administrators. Administration rights are required for many of the functions and features described in this article.
Full documentation and explanation of the processes mentioned in this article are listed below. There are subtle differences between Cloud and Server instances, so please refer to the documentation specific to your situation.
- Configuring Security - CLOUD Configuring Security
- Managing Global Permissions - CLOUD Managing Global Permissions
- Managing Project Permissions - CLOUD Managing Project Permissions
JIRA is designed with sharing in mind; therefore in its default configuration all new projects are shared and viewable by all other users. It ships with two major groupings of users: groups and roles. Groups are intended to global groups of users that can be assigned various permissions globally and per project. Project roles are similar, but are instead grouping on the project level. By default JIRA ships with groups and roles with matching names. When you create a new project in JIRA, it will automatically assign these user groups to the matching project roles. This gives these distinct groups of users the most common general default permissions for projects. For a complete overview of permissions and security in JIRA, check out the full Configuring Security documentation.
While this three way methodology of securing projects is incredibly flexible, and there are many ways to accomplish the same goal, we are going to stick to the simplest today: Reassigning groups to project roles. For our example, we will create two projects and groups: TeamA who owns ProjectA and TeamB who own ProjectB.
When you make these changes, the System Administrator won’t automatically inherit rights to view these projects, but they will still be able to administer them. To add the System Administrator to all the projects, simply add this user to every group you create.
Create your users and groups
- Start by creating your users for your projects. In our example we have created 1 user to belong to each of the distinct groups: user-a, developer-a, administrator-a, user-b, developer-b, and administrator-b. These users will belong to the users group by default.
- Now we will create a group for each of these users to belong to.
- Assign each of the users to the appropriate groups. As you can see in the screenshot below, I’ve added each user to not only their respective group, but to the group that they would logically also have permission to. This is because the default permission scheme does not cascade permissions down. In other words, if you are a project administrator, you do not inherit the rights of developers and users by default; you must explicitly be added to each role.
Create Your Projects and Assign Groups to Roles
- Create a project for each of your teams. I’ve called mine TeamA and TeamB
- Click on the name of Project A, you will be taken to the Administration screen for that project. Now select View Project Roles under the people section to the right.
- Under the Groups column, hover your mouse over the jira-administrators and click.
- Remove the existing group by clicking the x
- Now add the group of project administrators by typing in the name of the project
- Then click update.
- Follow this process to add each of your groups to this project. Your project’s People page should now look like the example below:
- Now, go back to the main Administration screen and follow steps 2-7 for Project B
Congratulations! You should now have the application configured that you have 1 Application administrator and two projects 100% segmented from one another. Keep in mind some fields in JIRA share data, such as Labels. To prevent this, you may want to create custom fields that are project specific for fields such as label.
- Log in as project-admin-a and try to View All Projects
- You will be automatically directed to the landing page for Project A only
- Viewing the Administration link, you can see that the user can only see their project and nothing else, not even the normal administrative functions for the application.