Has anyone considered implications outside of project permissions?

What about filters and dashboard, which are not confined by project permissions. Simply the name of a filter may expose information a company wants to keep private.

Teams functionality is not permissioned. So an external party could browse teams, and users in your business.

App, Plans, Assets, these are all other areas where information leakage may occur that are outside the scope of project permissions.

Does anyone have real-world experience of allowing third parties into your Jira instance while preventing any information leakage that you don't want exposed?

Kindly check this for detailed description https://confluence.atlassian.com/display/JIRAKB/How+to+grant+permissions+to+specific+users+in+a+Jira+software+project+that+has+a+shared+permission+scheme

Hi @Samantha Morrison , welcome to the Community. 

in a nutshell this is a permissions issue which is likely obvious. One possible reason is that the project that the person wrongly has access to is set to be wide open. For example the permissions include “any logged in user”. I used to do this on some projects when we first started with Jira but soon learned it was a bad idea. I would start by looking at the project the individual has access to, and scour the permissions scheme to see why they may have access. Sometimes the issue is that when a user is added by default, there added into a broad roll, such as jira-users. 

Hi @Samantha Morrison and welcome to the community,

You have probably included that person to a group which grant access to all projects (due to permissions scheme).

For starters I would:

• create a new group called e.g. "externals" or similar. Then
• Add this person to this group
• Remove this person from the general group which grants product access to Jira
• Give product access (to Jira) to that group
• Maintain the project membership as you currently have it

Try it and let me know.