Thanks Susan - I'm familiar with and able to get to the permissions scheme pages for both the project settings and the more global level... but it's not clear which of the particular permission items is responsible for controlling "Project Lead" assignment.  There are permissions for Administer Projects, but this doesn't seem to be the same as being assignable to Lead a single project.  When I search the permissions scheme page for the word "lead" nothing is found.  Thanks!

A screenshot of the page where Project Leads are assigned would have to be largely redacted so not sure how helpful it would be.  It's essentially a selection list of people which I would expect to be populated only with internal people in Jira Software, but it includes them PLUS all of our customers from the JSM project. 

The internal project is a standard Jira Software project. 

The project permissions are the "Default software scheme", so I'm a bit surprised that this behavior would be enabled by default, but I will try to understand these schemes more and hopefully be able to disable the JSM customers from showing up in this list. 

AFAIK, a customer assigned as a Project Lead still doesn't have any actual access or notifications related to the internal Jira Software projects, but it's still a bit concerning that they even show up in the list and can be assigned as a Project Lead. 

Hi @njk42 

On software projects a license is required to even be able to use this part of Jira and then a user would still need to be granted browse permissions on a project (based on role, group or user) 

To see the issue.

But using the ootb permission scheme is not a best practice, as this always ootb contains all users or all logged in users on permissions.

Yes, understood - we have only licensed internal users/developers accessing our Jira Software project.  That's another reason why it was so strange to be seeing our customers from the JSM project in the list of available Project Lead assignees for the internal Software projects. 

Also interestingly, our customers from JSM are (correctly) NOT listed as targets for the assignable user on Issues in the Jira Software projects, even though they are assignable as Project leads.  I don't see anything in the permission scheme which indicates that a group or role which contains JSM customers have any additional permissions to administer/lead projects, so I'm becoming further convinced that this is a possible bug when the list of available Project Lead options is rendered on the Project Settings page. 

Hi @njk42 

Aha do you mean the project lead option on a project itself?

If this is the case, this is just a field for setting the project lead, this doesn't grant any permission or else.

This is just a field other users could you to find a contact for this Jira project.

Yes, confirmed that I'm not really concerned with actually giving permissions to customers or external users when assigning them as a Project Lead... since they are unlicensed. 

But it's still disconcerting to have them even listed as assignable as Project Leads when they are both external users and also associated only with the JSM projects (and not the Software projects. 

If I have an internal developer or manager who goes to create a new project and wants to assign a Project Lead for that project and sees a list of hundreds of customers instead of just the internal users, it raises questions about actual access rights, whether customers will get email notification that they were assigned as a Project Lead, etc. 

And thanks for your help Marc!