How to restrict project access to different isolated user groups
Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.
This how-to will explain the steps needed to separate project access, while granting read-only access to particular external user groups working on the project.
The example is written in the context of granting access to different Client groups.
Created the users in JIRA. We'll assume that a JIRA Administrator has already:
- Populated these users into client-specific groups (i.e. all users from 'Company A' are grouped into the 'Client A' group)
Granted these groups JIRA access by:
adding the groups to JIRA Users global permission for JIRA 6.4 and below
- adding the groups to a JIRA application at > Applications > Application access for JIRA 7.0 and above
- granting the groups access to your instance at > User management > Application access and clicking the View configuration button for JIRA Cloud users.
- Removed Internal Project access to client-specific users by removing the users from the default JIRA Users global permission. (i.e. removing them from the jira-users group)
ProTip: a group external-users can be created to group all Client users so adding external-users to JIRA Users global permission will grant them access to JIRA and enable more configuration benefits.
- Clients: External users that can't see private Project or other Clients information (groups: ClientA, ClientB, etc)
- External Users: Group of clients that can't see private projects (external-users group)
- Internal Users: company members that have access to private company content and some or all Client projects (jira-users group)
You will then be able to set up these 4 roles:
- Internaluser that doesn't see clients projects (group:jira-users)
- Internaluser that works on Clients A and B only (groups:jira-users, ClientA, ClientB)
- Internaluser that Administers every Client project (groups:jira-users, Administrator)
- Externaluser that belongs to ClientA (groups: external-users, ClientA)
Access and Privacy configuration notes:
- Set JIRA Users Global Permission to jira-users and external-users only to control groups that have access.
- Add External User to external-users and a ClientX groups only to restrict private content.
Create a project role for Client groups.
Creating a project role that maps to your client groups will allow you to reuse your permission scheme across projects where the Client group will differ project to project. Project Roles makes it easier to manage your users rather than using groups all the time. Since group membership is global, whereas project role membership is project-specific, project admins will effectively be able to change the members of project role, even without the global JIRA Administrator permission.
Choose the cog iconat top right of the screen, then choose System, then select Project roles to open the 'Project Role Browser' page.
Keyboard shortcut: 'g' + 'g' + start typing 'roles'
- Create a project role called 'Client', which will represent read-only client groups in a project.
Create a new permission scheme.
- Choose the cog icon at top right of the screen, then choose Issues. Select Permission Schemes to open the 'Permission Schemes' page.
Since this will only require one change to the default scheme, we can simply copy the default permission scheme. Select Copy in the row of "Default Permission Scheme."
Rename the newly created (copied) permission scheme by selecting Edit in "Copy of Default Permission Scheme" row. Something identifiable such as 'Client Facing Permission Scheme' will do.
From the newly created scheme, remove all Application access (Any logged in user) entries and replace it with a Project role, for example Project role (Users), or a groupto "hide" all remaining projects, the Application access (Any logged in user) entry must also be removed from the Browse Projects permissions, in all used permission schemes
Configure read-only permissions in the scheme.
- On the Permissions Scheme page, select Permissions in the 'Client Facing Permission Scheme' row.
- Select Add (Cloud Users click Edit ) in the Browse Projects permission row, click Project Role and select the 'Client' project role from the dropdown. Click Add/Grant to apply.
- Add additional internal groups to the Browse Projects permission to ensure that internal users can also view the project.
- By default, all JIRA users can access ('Browse') the project. Remove the 'jira-users' group from the 'Browse Projects' permission, leaving only your internal groups and the Client role.
Add the client group to the project role.
- Choose the cog icon at top right of the screen, then choose Projects.
- Select the appropriate project from the Project List.
- In the Roles section, select View Project Roles. (Cloud Users select People)
- In the Clients row, select Add Group by hovering over the Groups column. (Cloud Users click Add people)
- Add the Client Group(s) who will be accessing the project.
Apply your permission scheme to an individual project.
- Go to the Permissions section of the project Administration screen.
- Click the Actions dropdown in the upper-right hand corner. Select Use a Different Scheme.
- Select the 'Client Facing Permission Scheme'. Click Associate.