Thanks Norman,

but still I haven't got it. What I now see, I have to differentiate between "Jira permissions" and "Jira groups". Example: all our staff members are "Jira Users" and are in the group "jira-users". Then I have a group "contractors" which shall not see every project. But this group has "Jira users" permission, and it says on the global permission page therefore is also proposed as default membership for new users.

Am I right that I have to remove the "contractors" from the "Jira Users" permission? This would remove the "contractors" from the default group membership, ok. This means I have to assign them the "jira user" role for every project they may see, right? Or can I include them im the jira-user group?

Is there a way to leave the Global Permissions unchanged and pick a set of group memberships as defaults for new users?

Finally it strikes me that being additionally member of a more restricted group actually doesn't harm, however..

Have you looked at project permission schemes yet? It is a way to assign users, groups and roles to a project. I will not be able explain more until my evening hours. Would this example work for you? (If the example works for you, then if other people want to answer at least there is someting more concrete to work with.) If the example does not work for you then please express your needs better.

admin group
developer group
user group
contract group

default new user group will be contract group

project 1
Every group can access and create issues in this project

project 2
contract group cannot access this project

https://confluence.atlassian.com/display/JIRA/Managing+Project+Permissions#ManagingProjectPermissions-permissionschemes

https://confluence.atlassian.com/display/JIRA/Managing+Project+Permissions

You have to be really careful about granting group-level access in permissions schemes if you have client confidentiality rules and client-users. The Browse global permission on a scheme that is shared for multiple projects where a group has been granted permissions to that project scheme can cause users to be able to see any project in that scheme. My recommendation is to never grant groups not admins and site-admins project permissions in a scheme unless you've got a lot of time and have really mapped out and tested this thoroughly.

The standard practice here is to have a minimal set of "can log in" groups (often, just one) that does little or nothing else (maybe look up user, bulk edit, and access to the "help with Jira" support project)

Most then use roles to control who gets put in where. That really is the most simple approach, and I suspect the response to raising this as a feature request will probably be "use roles"

Nic, I have this set up and like the ability to control what users see. but everytime we create a new user , they get added to any groups that have Global Premission (jira user). is there any way to control what group a new user gets assigned to?

Thanks

Grant

Nope, that's it. A user gets added to all the login groups when you create them.

That's why the standard practice is to have only one or two "can log in" groups and avoid using them anywhere in permissions

I think we got it so far. I removed every external from the jira-user group, instead assigned the Jira User Permission to external groups. So I can achieve they see only projects where they have a role. So far so good. Now I want to "use the contractor user group as the default group for new users". Where can I define that? Jira will assign ALL groups with JIRA User permission to new users. If you don't take them out immediately new users see everything. I think this is a bug, or a security leak. It should be none in first place! I should add we don't use an LDAP.