Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

How to restrict the project admin access for 'users& roles' section

Anu
Contributor
June 6, 2018

I want to restrict the project admin access in particularly editing of the project role section . if the user is associated with admin access for the particular project,user should not able to add/edit or delete the users in project roles section.

is there any way to achieve this? 

2 answers

0 votes
Grigory Salnikov
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 7, 2018

Hi!

To manage roles is one of the key project admin rights. In your case I would create a new "project admin" role and grant it all the needed permissions.

Anu
Contributor
June 7, 2018

Hi Greg-this is not the case. As the system admin,I will taking care of the user access.

I want to restrict  the access to "project admins"

Like Leonid Lee likes this
0 votes
Ollie Guan
Community Champion
June 7, 2018

Hi @Anu,

As far as I know, the current permission scheme cannot carry out such fine-grained management. You can refer to the following:

https://confluence.atlassian.com/adminjiraserver074/managing-project-permissions-881683464.html#Managingprojectpermissions-Extendedprojectpermissions

Anu
Contributor
June 7, 2018

Thanks Ollie for the link. However 'Administer projects' roles comes with below package of permissions. .

"Administer projects

Permission to administer a project in JIRA. This includes the ability to edit project role membership, project components, project versions, and some project details ('Project Name', 'URL', 'Project Lead', 'Project Description')." 

If I remove the administer projects role in the permission scheme , admins won't be able to modify the components/versions .

We have around 6000+  users in the environment. I want to revoke the admin access only  to 'user & roles' section.

 

Do you know any other way?

Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 7, 2018

Ollie's description is correct, you cannot have partial admins.

You could do it by removing all roles from permissions, notifications and so-on, using only groups to grant access.  This will, of course, leave your administrators in group-maintenance hell, but that is effectively your goal.

Anu
Contributor
June 12, 2018

Thanks,but still this is not solve my query.

If the user/particular group is not part of the administer role users won't be able to work on the versions and components also. There is no way I guess to choose the particular actions as part of the administer functionality.

There should have been proper management options for the administer roles actions.When we have 5K +active users in the organisation, some functionality matters.

Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 12, 2018

It does solve your query - you just put the users who need to edit versions and components into a group granted "project administration".  The role itself is irrelevant.

One of the permissions is "administrate project", which you'll need to grant to groups to all allow the project admins to handle versions and components.

 

Delegating permissions more finely is something Atlassian have always had on the to-do list, and some of it is happening. 

Giving project admins the rights to versions, components and users was part of it, but they've not moved again until recently, where they get some access to fields and workflows as well.

Anu
Contributor
June 12, 2018

Hi Nic-if you look at my query,problem is restriction on editing  the "user & roles section" alone. 

"Administer projects" comes with the below package , I cannot choose the particular action.

Permission to administer a project in JIRA. This includes the ability to edit project role membership, project components, project versions, and some project details ('Project Name', 'URL', 'Project Lead', 'Project Description')." 

 

Permissions.PNG

Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 13, 2018

Ahegde, if you look at the answers, you'll see Ollie confirms that there is no way to stop project administrators managing users and roles, but mine tell you the way to make the roles irrelevant so that it does not matter if the project admins do anything with them.

Anu
Contributor
June 13, 2018

We got some security issues in our case,so we found out only to avoid this situation is by filtering the administer permission. 

If there is no way,then we can drop the matter here.At least in the future  Atlassian team should consider the fine tuning of the permission schemes .

Like Andrew Kerr likes this
Anu
Contributor
June 13, 2018

Thank you for all your answers

Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 13, 2018

I'm not sure how security issues might affect this (I am curious as to why it is a security problem to have access to maintain roles when they have been configured to have no effect)

Also, one thing I completely forgot to mention - if you do decide to go the route of group based access, then make all the permission changes for that, and when you're happy with it, make another change.  Go to admin -> Project Roles and simply delete every role from the list

I have a feeling Jira might force you to keep at least one, but you could keep one called "This is a pointless role, do not use", just to be clear to your project admins.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events