I didn't add the group there and the user can still transition. The only permission they are added to is the Browsing permission, so they can see the projects. 

Hi @Elior Odinak,

Can you give more details on this

Jira version? if it is on 6.3 or above check this "Transition Issues" permission who are all having access/permission

Jira Software Cloud. 

I checked the transition issues permission and the only ones who have access are "Application access: Any logged in user" and some Project role for atlassian add-ons. So not my group or role that I created for Read Only users.

Hi,

That makes sense here, "Any logged in user" is like giving access to all users 

so anyone has access to browse your project, they can make the transitions too

If you are having access to modify permission scheme then you need remove "any logged in user" and add the "group/project role" whom you want to grant access for making transitions

This page may help in permission scheme configuration:  https://confluence.atlassian.com/adminjiracloud/configuring-project-permission-schemes-868982875.html 

Ok so according to that logic I would need to remove any logged in user from all the permissions (which is a lot of permissions) for all my projects, since that is how it is set up at default.

Yes. Out of the box JIRA has a terrible security model. 

JIRA works by GRANTING access. You can't restrict access. By default, it grants access to the group used to logon (used to be JIRA-users but may be different on your version).  This is where they’re getting the access from.

1. The FIRST thing you need to do to get control is to remove any groups with logon privileges from the permission scheme unless you absolutely want everyone to have that permission.
2. Then I suggest you setup Project Roles for the various functions like, tester, QA, Browse Only, etc.
3. One permission scheme will cover almost all projects. The project admin controls project role membership

This may be a big effort, but it will pay off down the road by making it easy to control access.

Most of the 'old timers' use project roles. It meets the best practice for security and gives complete control to the project lead for access to their project. JIRA comes with many project roles, but you can add more if you have a special need.

Thank you all for the explanations. 

Yes, I read this one. The issue I have is I'm going to need to add like 5 conditions to every transition to 3 separate workflows. I was wondering if there was a way to add 1 condition that says this group is the group that DOES NOT have permission to do this. The way this is set up, the condition is for a particular group that CAN do this action which means I need to add every group vs just adding 1 group that can't do it. Hope that makes sense.