I verified that the Project permissions are set, as described above, and that the repo permissions are set correctly, but the user can still see stuff they shouldn't be able to see.

Technically, the repo permissions aren't set, so they shouldn't be overriding the Project level permissions, right?

I'll take a look at Control Freak, though it doesn't seem like it'll address my issue.

Yes, Control Freak is more something to explore later once you get these basic permissions working.

The permission system on Bitbucket Server is solid in my experience.   Is there any chance the user from Group 2 you're using to test permissions has any one of the following attributes?

1. Are they also a member of Group 1?
2. Do they have the global "Admin" privilege?
3. Do they have the global "System Admin" privilege?

Attributes #2 and #3 above give the user full read/write access to all repositories across your Bitbucket instance, regardless of the user's group memberships. Take a look at the "Global Permissions" screen (Settings --> Global Permissions) to see if #2 or #3 might be the problem.

To see how things should behave you can try my demo server:

http://vm.bit-booster.com/bitbucket/projects/ABC/repos/private

When I login with user "test" (password "test"), I get a simple "401 - Access is denied" page.

Oddly, all users recently added show as having the *System Admin* and *Admin* permissions, but I am not sure why. Is there a way to prevent new users from getting those permissions by default?

I inherited this task at work and I'm trying to clean up our permissions before we migrate to the latest Bitbucket Server.

I'll speak to our CEO to see if he has the *Sys.Admin* password and make some changes.

Out of the box I think there's a "stash-users" or "bitbucket-users" group that all new users are automatically added to.  Make sure the permissions on that group are set to only have the "Bitbucket User" permission!

Sounds like the "stash-users" or "bitbucket-users" group probably has "System Admin" and "Admin" in your environment.  Uh oh...

In my experience this default "stash-users" group is a poorly documented but highly significant feature of Bitbucket Server!   Let me know if this is indeed the culprit.

p.s.  You don't need a password.  Just get your CEO to assign "System Admin" to your user account on the "Global Permissions" screen.  Sounds like any new user in your system right now could also assign you to "System Admin" so you could ask them instead, too.  Ha ha.

Based on information you provided, I have fixed all our permissions.

I also had my CEO set me as the Sys Admin.

Thanks for all of your help.

My pleasure!   Good luck with your Bitbucket upgrade!