How to restrict user access in Jira without changing schemes or user directory settings (internal or external)
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Change the users that can access your Jira for cases where a temporary user lockdown is required or a DEV/Test instance is created and you only want to allow access for admins and/or a few selected users or groups.
This method also applies to cases where Jira is configured to receive users from external directories (LDAP, AD, etc...) or public registration is enabled to add another control layer of user access.
Solution
The easiest method to restrict either temporarily or permanently the access of a Jira instance without changing the organization on the currently configured permission schemes is to change the default main user groups with application access.
Changing the groups with Application Access
- Click the Administration
> User Management > Groups - Create a new (or use an existing) group with the users that you want to remain with access to Jira (for example:
jira-temp-access-group) - Make sure you as an admin is a member of this group (
jira-temp-access-group) and that you are a member of another group with Global permissions, or make this new one have Global administration permissions too. - Select Administration > Applications > Application access
- On this page you'll see the default groups that have application access to Jira, this means that every group added to this page configuration consumes a license and can access Jira's internal pages limited to the permission schemes in place.
- Mark the group from STEP 1 as the Default.
- Remove from the list the other groups that have Jira access by default such as
jira-software-users.
- Only the group you created on STEP 1 should be on the application access list.
The same method can be applied to Jira Service Management!
This does not remove the actual groups, nor does it change any other scheme configuration or relation to memberships.
Results
After this, only users that are members of this group you've selected will be able to see anything on your Jira instance as Jira users or agents.
All the other "normal" users will still be able to log in, but they won't be able to see or do anything inside Jira.
Users that have Global administrator permissions will still be able to perform a few admin actions, including adding themselves to the application access group.
If you have a Jira Service Management project that allows users without a license to be treated as customers, they'll still be treated as a customer with limited access to their own requests as a customer would!
To restore the Jira application access
Just add back the usual group to the application access list (for example: jira-software-users) and all the normal configurations and schemes should return to the usual access profile.
Users that are members of multiple groups with application access only count as 1 used license toward the license count.