How to copy and associate a new permission scheme for a read-only access?

Also, can you confirm for us the project Type information by telling us what it says in the Type column on the View All Projects page under the Projects menu for this project?

You've posted your question in the Jira Service Management forum, but typically the Board selection is available only for Company Managed Software projects in Jira Cloud.

Hi @Trudy Claspill 

Yes, if I re-associate the project to the original permission scheme, I'm able to access the data again. The permission scheme are exactly the same exact for the new update.

Original default permission scheme:

New permission scheme:

It's basically a copy except I added the read-only user and removed the "logged-in user":

Lastly, it is a company-managed project.

Well that explains the problem.

In the new permission scheme the only people you are allowing to view the project are the members of the Read-Only User project role. Any user not in that group, even if they have other permission in the project, will not be able to see the project content.

What are you trying to accomplish with these changes?

are you are trying to enable Read-Only access for this group, while also maintaining existing permissions for other users?

Assuming that is the case...

1. You have to create a group or role to which those users can be assigned, which you did.

2. You have to add that user or role to the Browse Projects permission for the project, which you did.

3. You have to remove the "Any logged in user" and "Public" options from ALL other permissions. If you don't then that subset of users will have any permission that is granted to "Any logged in user" or Public

4. If the "Any logged in user" allocation is the only other "group" granted permissions, which appears to be the case, you have to add all other users who need more permissions in the project to other groups or roles and add those groups/roles to the other permissions in the project, as well as adding them to the Browse Projects permission.

If you need more explanation on these steps or why they are necessary, let me know.

Additionally you have to consider the permission schemes of other projects and the Access settings for Team Managed projects, if you use those. If other projects allocate permissions to "Any logged in user" or "Public" then those Read-Only users will have access in those projects too.

For Team Managed projects the users will have access to any project that has an access level of Open or Limited. Refer to this page for more information:

https://support.atlassian.com/jira-software-cloud/docs/next-gen-permissions/

@Trudy Claspill This is helpful, thank you. But I think please expand on the steps and why they're necessary. Reason for this is that I'm getting conflicting instructions from the videos I watched that specified that I should only touch the "Browse Projects" permission ONLY, and that everything else should remain unchanged. 

There were no extra steps (which I'm sure is the reason for my issue).

Please provide links to the videos you are referencing so that we can compare them to your scenario.

If the Permission schemes in the videos don't have the permissions allocated to "any logged in user" or Public, there might be no need to touch other permissions in those videos.

Or the videos may be wrong.

Hi @Walter Buggenhout 

I see... and are there any additional changes that will need to be made to the project settings for the rest of my team?

I want them to continue having the access as normal - the only change should be the addition of the read-only user from an external company.

Hi @Hector Sibisi,

The default permission scheme Atlassian includes with new projects comes with Any logged in user enabled to the browse project permission.

This is very handy at first, as it allows every user with a product license to Jira to access any project using that permission scheme to access your project. You don't have to do anything to let people access it.

But as soon as you want to take control over your project security, this becomes a problem. If you have never specified who can access your project and remove the any logged in user option from browse project, no one can access anymore, since browse project is THE permission that controls who can view the project.

When you are at a point where you want to make a difference between certain roles in a single project, you will have to take control over all permissions in your project. That is why I initially already mentioned that (once your permission scheme is configured properly), you will have to associate people to the appropriate roles in your project. All people, not just the people you want to have read only permissions.

To get to the desired result, you will enevitable need to do some significant updates. In your new permission scheme:

1. Get rid of all the associations between permissions and Any logged in user
2. Add project roles to appropriate permissions in the permission scheme. The Read Only role should only have browse project permission. But a team member (or developer) should have access to all permissions that allow working inside your project (such as: create, edit, transition, resolve issues and even a lot more). Your project administrator should be able to administer the project and e.g. edit/delete all comments/attachments.
3. Assign users to those roles from the people tab in your project.
4. Attach the new permission scheme to your project

Hope this is clear - thanks @Trudy Claspill for chiming in 😉

@Walter Buggenhout @Trudy Claspill Thank you both. I've managed to get the big part sorted. I've linked the new permission scheme to a project and it seems I still have access. I just need to monitor and make sure that my team is not impacted.

The previous Scrum Masters left a bit of a mess in the Backend. There are about 200 users linked haphazardly into various groups which I had to clean up. I can't link a user to a role individually, as that will take forever, so I had to use the groups and link those to the role and then take that role and link it to each permission schema.

E.g. Administrator group to the Administrator role.

But let me know if there's a potential issue I'm not seeing.

But a question I have is, do I have to put "Administrator" into every single permission that I put the "Developer" role in? I updated the role into the Administer Projects permission, but do I have also have to do this for every single one, too? I would assume that Jira instinctively understands the purpose of an administrator role?

Hi @Hector Sibisi,

Don't worry about using groups to link users to roles. You are actually applying best practices by doing so, so I'm glad that actually has been something you did naturally 😉 ...

About your last question:

But a question I have is, do I have to put "Administrator" into every single permission that I put the "Developer" role in? I updated the role into the Administer Projects permission, but do I have also have to do this for every single one, too? I would assume that Jira instinctively understands the purpose of an administrator role?

Jira is unfortunately a computer program, not a psychologist 😉 - so it does not intuitively understand the purpose of an administrator role. Coming back to the permission scheme we started from, this is just a list of all the available permissions you have in a Jira project and the way you assign them to concepts that make sense. You can modify those roles, create new ones and even call your administrators "tomatoes" if you want. So you will clearly have to define which permissions belong to each role in your scheme.

Now, the good news is that you can assign multiple roles to the same person or group in your project. That means that you can only assign those permissions in the permission scheme to the Administrator role that are part of that specific role (administer project, edit/delete all comments, edit/delete all attachments, ...). But if your administrator does also actively work in the project and needs to be able to also create work items or change their status, you will have to make sure that person is also linked to a role that does have does permissions.