Restrict certain JIRA developers to a single project in JIRA 4.4

Question

We have some trainees and we would like to give them some introductory tasks in JIRA.

We are using JIRA version 4.4.

What is the least intrusive way (avoiding creating global groups or permissions, if possible) in JIRA to achieve the following:

• restrict the trainee user account so he can browse only a certain single project and no other projects are visible to him in menu, dashboards etc.
• give this user the same permissions as default jira-developer has, but only for his associated project

?

Those trainees might leave after a month or two, so we would like to be able to delete their accounts later as easy as possible (without any linking issues, like "You cannot delete this because it is associated with that"...).

I tried to add one of the trainee accounts to a project using People tab. I added this user to Developers and Users sections, but still this user has a message: "You do not have a permission to log in." when trying to log-in.

If I add this user to jira-users group, he can log-in, but he is able to see all the projects.

Answer 1

The problem I found with JIRA permissions is that core administration elements are strewn all over the place. Its frustrating to find options which other guides allude to.

So, here is a guide detailing where to find each section required for security permission setup:

1) Create a new group (restricted to project xyz group).

• Click User management in top right (click the cog icon) > login as Administrator > click Groups (left menu)
• Add group, self explanatory > Name = restricted to xyz group (or whatever you like)

2) Create a new permission scheme (Restricted to Project XYZ permission scheme)

• From Administration area > Click Issues > Permission Schemes
• Copy the default scheme as the guide says, > Click "copy" next to "Default Permission Scheme".

• Now this part takes some time. I deleted every single permission, then clicked "add" next to the below items.

• add > Click "Group" Radio Button > select your group "restricted to project xyz group" etc

  • Hint: I middle mouse clicked each item open all at once, first to delete, then to add. Makes it less tedious.

• Here are the items I Assigned to my group:

  • Project Permissions > Browse Project
  • Everything under "Issue permissions" section
  • Comments Permissions > Add Comments
  • Comments Permissions > Delete Own Comments
  • Comments Permissions > Edit Own Comments
  • if using time tracking:
  • --> Time Tracking permissions > Delete Own Worklogs
  • --> Time Tracking permissions > Edit Own Worklogs
  • --> Time Tracking permissions > Work On Issues

• I'm not sure if these are "correct" but it works for me.

3) Link the permission scheme with project XYZ

• Click Projects > Select your Project (project XYZ) > Click "Administration" at top of screen (Next to overview) > Click Permissions (left menu) > Click Actions > Select Use a Different Scheme

• Why, do I have to go into the project to do this? It should be available via the Administration area under project. This took me 5+ minutes to find just now even though I've done it before.

4) Grant the Global Permission "JIRA users" to the group "restricted to project xyz group" so they will be able to log in.

• Go back to Administration area > Click Cog top right > Click System > Click Global Permissions (left menu)
• Add Permission > Select Permission = JIRA Users, select Group = restricted to project xyz group (etc)
• After this you should see your group appear next to "JIRA Users" just click View users, then invite/add the users as appropriate with your group selected.

That's all for now, I hope it includes everything, its all I could remember. Hopefully it saves someone else from the suffering i went through ;)

Answer 2

I did the following:

1. Created separate group for users allowed to see the project (Site Administration -> User management -> Groups

2. In Jira Admninstration -> Global Permissions added this group to "Jira users"

3. In the project's administration -> Roles added this group to "Users" project role

4. Created an user in this group and removed it from "jira-users" group. Without adding global permissions this would remove this user from accessing Jira at all

Worked like a charm (I hope), no annoying permissions scheme creation was needed

Answer 3

mdoar's answer has the guts, but here's a more step by step answer, specifically for the "You do not have a permission to log in." part.

Let's say you are logged in to Administration and there is a group 'My group for project X' and some users are assigned to this group. 1. Go to Users -> Global Permissions 2. Have a quick read about "JIRA Users" 3. In the "Add Permission" section choose "JIRA Users" as "Permission" and your group as "Group" and hit add. 4. All users from 'My group for project X' should now be able to log in.

For other access problems you may find "Premission Helper" useful (just look for it in the Administration Quick Search in the top right corner).

Answer 4

I wrote a tutorial on how to do this as it's so difficult to do especially for casual users.

Unfortunately you have to create a group and permissions scheme (and learn how to unhook the users group from the default permissions scheme, but I've laid it out really easily here so you'll not find an easier guide:

http://testigniter.blogspot.co.uk/2013/03/setting-up-jira-for-single-project-user.html

Answer 5

It depends which groups have the Developer and User project roles. By default these are jira-developers and jira-users. I would create a new project TRAINING and grant the Developers and Users roles to the trainee user ids explicitly. Now they can play in that project.

The harder parts are to restrict them from the other projects yet still allow them to log in. If the default groups are in use then do not add them to jira-users or jira-developers. You will have to define a jira-trainees group and add to the Global Permissions to allow them to log in.

Come to think of it, if you've ended up defining a jira-trainees group then you might as well use it in the project roles instead of their individual user ids. Once this is all set up you only have to add a user to jira-traininees, make sure they're not in jira-developers and jir-users and you're ready to go.