We have got two Jira Data Center installations, one as productive instance and one as instance to test.
In the test instance today I detected a strange behaviour:
A new user without any assignments to roles in projects or to groups could see rack-wheel at the top right edge and select "Projects". So he could change workflows of any project and assign himself as administrator to any project. Maybe he could do much more things I don't want him to do.
This shocked me, and I had a look at the productive instance.
I created a new user without any permissons or groups, like the user in the test instance.
There the user couldn't see the rack-wheel and couldn't administrate anything.
Though I was relieved, I still ask myself why the two instances behave different in this point. The global permissions are identically in both instances. Only the group "jira-administrators" may administrate Jira.
We want to develop a permission concept and test our ideas in the test instance.
But therefore we must be sure that the behaviour of the two instances is identical.
Does anybody have an idea what we can do?
Hi @Gisela Lassahn ,
Welcome to the Community!
What authentication method (user directory) do you use to create users? Are you using an LDAP or Active Directory server? And are you using the same for both Test and Prod?
I'm only asking because when setting up an LDAP user directory for authentication, you can select what the default group users will be added to and I'm wondering if this is different between Test and Prod.
In order to check these setting you will need to login with a local admin account. 
Go to the Admin Cog -> User Management. 
Click on User Directories.
Click on the Edit link and you should be able to see those details.
I hope that helps!
-James
Hi James,
many thank you for your advise.
We don't use our LDAP oder Active Directory users for Jira.
We use the option "Jira Internal Directory", and the configuration looks the same in both instances, but I think both instances use their own internal directory.
We also had to create the user in the productive instance manually like he already existed in the test instance.
So I'm still at a loss.
Gisela
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Gisela,
This is a really strage one. The only way a user should be able to see the rack-wheel is if they have been granted the Jira Administrators or Jira System Administrators global permissions. It might be worth checking on your test environment to see what group(s) have been granted that role, and then also what groups the user in question belongs to. I know you said that they weren't assigned to any groups, but we should at least check what is set so that we can rule out options as to how this happened.
I hope that helps!
-James
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi James,
many thanks!
yesterday (before I posted to the community) I already checked that only the group "jira-administrators" has got the Jira Administrator and Jira System Administrators global permissions.
And the user I used for my tests was totally new and didn't belong to any groups (only "jira-software-users").
Our productive instance works like we expected it. There the rack-wheel only appears in two cases:
1. if the user belongs to the group "jira-administrators"
2. if the user is has got the permission "Administer Projects" for at least one project (depending on the permission scheme, via assignment to a role, a group or directly); then he can only select "Projects" under the rack-wheel and only do changes especially to his projects; he can't change permission schemes, assign users to roles in other projects, change workflows belonging to other projects etc.
In our test instance the test user is not even project administrator but nevertheless sees the rack-wheel and under it "Projects", and he can do changes to all projects.
And I still have got no idea why.
Gisela
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
 
 
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.