From first principles, could you go back into the system as Admin and then
Go to the project
Check the permission scheme is correctly associated with the project.

>> Default Permission Scheme is assigned

Open the permission scheme (directly from the project)
Look at the "browse" permission. List everything in there (e.g. Roleeveloper, Group:fred, Assignee)

>> Project Role(users), several groups, and the Single User (viewer)

Now go back to the user and look at their Roles and Groups

>> The user "viewer" is a member of the Group "Viewers"

One other test too - edit the browse permission and explicitly add "user: viewer" and re-test it.

>> Done, as you can see above

Finally, are you using "security levels" at all?

>> Dunno. I don't see any other settings than Issue permission

Ok, the second line makes the groups and roles irrelevant - "single user (viewer)" should make the issue visible to that user. So you're definitely logging in as that user and it's not seeing the issue?

On the security levels, go back to the project administration and look at the tab below "permissions" where you set the permission scheme. On that tab, does it say "Issue security is currently not enabled for this project." or something else? (Or does the tab not appear at all?)

So you're definitely logging in as that user and it's not seeing the issue?

No. The problem is that when I try to log in I get this message:

You do not have a permission to log in. If you think this is incorrect, please contact your JIRA administrators.

I am terribly sorry, I completely missed that before.

Your user "viewer" does not have permission to log in. You need to grant that to them.

The usual default setup is to have the group "jira users" set up as the "can log in" group. So you need to add "viewer" into that group and you'll be fine. Everything else you have done looks absolutely spot on.

There's nothing wrong with that, but unfortunately, the default is then to use jira-users in other places. By the time people realise this is a dreadful design, it's too late, and jira-users is scattered through permission schemes, giving people access to all sorts of things, and it's a pain to un-pick the mess.

I'd test this by adding viewer to jira-users, and if I'm right about that, then you'll probably want to go back over ALL the places jira-users is used, and remove them, so that jira-users group means ONLY "can log in".

I don't have a "jira users" group.

We are using Active Directory to manage real users. I added "viewer" as a JIRA-only user.

Below are the groups that contain the string "user."

Forget "Mac Users."

WHJiraUsers is the AD group that contains our users.

"user" is the name of the local group I put "viewer" into.

I notice that the"user" group has not permission scheme. Could that be it? He is in the Default Permissions.

I tried adding the WHJiraUser group to the "Viewers" role below...

And that let "viewer" in. But it also gave him edit access. So I took that off.

Hummm...

The screen shots I attached are there when I edit the comment, but not in the view mode.

Mmm, you do have a "can log in" group, but it sounds like it may have been renamed as WHJiraUser group.

As admin again, go to "administration -> Users -> Global permissions". There's a line in there that says "Jira Users (Ability to log in to Jira ....)". That will tell you the group, or groups, that can log in. Viewer needs to be in one of them.

Before you leap in though, you need to think a bit more. It sounds like a really easy fix would be to have another group in there (called something like "Read only"), and put viewer in that group, and use the group in your permission scheme. The problem is that ALL new users will be added to that group as soon as it's in there... This could well be fine for "read only" though, it's just that you need to be aware of it.

Found the problem.

Needed the JIRA User global permission:

JIRA Users

Ability to log in to JIRA. They are a 'user'. Any new users created will automatically join these groups, unless those groups have JIRA System Administrators or JIRA Administrators permissions.

Yes, that's what I said, you needed to get them into a login group.