Hi @Melissa Clark,

It is all in all not that difficult, but there's several different configuration options due to the different project types indeed.

Company-managed projects

Jira has a fine-grained permission system with a lot of detailed permissions. All these (available) permissions are grouped in what we call a permission scheme. In such a scheme you define (generically) who should be able to do what in a project. If you want to apply best practice, associate project roles with permissions in a scheme to basically define what persona will be able to do certain things in a project.

The settings you specify in a scheme are managed centrally by a Jira Administrator. But to apply the settings you configure, you need to associate this scheme with a project. How you do this is also documented in the support article I already linked above. Ideally, if you have similar projects in your Jira instance, it is best to associate them all with the same permission scheme.

Once that's done, you can assign people in your projects to the roles you have granted permissions via the scheme. This is something you do in each project separately, in project settings > people. By preference, assign user groups to roles there and in exceptional cases individual users.

You may see that it is not so much a problem to grant a user access to a project, but you may see that this user also gets access to projects you would like to restrict access to. That is because - by default - standard permission schemes generated by Jira grant browse project permission to Any logged in user. You should get rid of that if you want to get rid of this unwanted access.

Team-managed projects

These projects don't use schemes. Permissions are set up for each project separately. You basically define whether a project is private / open / limited and may grant Access to users in Project Settings > Access. Options are more limited than in company managed projects.

For more information, see this support article 

Hope this helps!