I have a case where we are wanting to allow vendors to get accounts on our jira instance and have access to just some projects.

The problem is that most of our projects have permission schemes with 'any logged user'  used quite heavily. I'm trying to find the best way to remove the wide open access we have now and break users into 'employees' and 'vendors' and modify the permission schemes.

My thought was to:

1) at user creation time put a user in the group either 'employee' or 'vendor'. I'm assuming this would have to be a manual process doe after user creation since by default everything just goes into jira-users group. it seems like this would have to be post user creation, so it would create a small window where vendors could see everything.

2) Edit each of the permission schemes to :

a) remove all references to 'any logged in user'

b) replace the removed 'any logged in..' permissions reference with a pair of permission rules 1) group(employees) and 2) role(Vendor)

This way I get to keep the global access that we need as a company, but keep vendors out of them unless they are added to the Vendors role of that project. 

I don't want project admins to have to pick all employees for a role ad then keeping having to update it as new hires come on, so this is why I used a group for employees

I'd like to remove the need for IT to remember which group to have to put a new user into, is there any jira setup configs that would let me add an option from the products to pick, Jira -Employee or Jira - Vendor.

Or, is there a a better/simpler way to accomplish this?