Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Enforce read-only access for certain users

Arthur S
Arthur S
Contributor
February 1, 2024

Hi Atlassian community,

 

I am Jira administrator.

We need to ensure that certain users cannot be anything other than read-only. Thing is, once the users are created by our IT, the project administrators can give the roles they want to the users.

How could we add a restrictions on those users to make sure they cannot be anything other than read-only until a Jira administrator put an exception for those users ?

 

Thank you,

Arthur

Answer
Watch
Like Be the first to like this
515 views

1 answer

1 accepted

2 votes
Answer accepted
Mark Segall
Mark Segall
Community Champion
February 1, 2024

Hi @Arthur S - You'll want to take these steps across every permission scheme:

  • Browse Projects: Grant Any Logged In User
  • All other permissions: Remove any groups that you don't want having automatic access to projects and replace with desired roles

This will force all roles and/or groups to be explicitly granted on the individual projects.

NOTE - If you have multiple permission schemes, you may want to consider consolidating them into one to make your life easier.  You'd need to go into each project and change the permission scheme to your enforced centralized scheme and then delete the other options

View More Comments
Arthur S
Arthur S
Contributor
February 2, 2024

Hi @Mark Segall 

 

I am not sure this is what I am looking for, or I don't understand how that will works.

I want to control that specific people cannot be set as users on projects by project administrator.

 

For example, I create a group called "Company A".

I want users in that group to be "Read-only" users on "Project A" and "Project B" but they shall have no access to "Project C". I understand that could be done with the permission scheme. 

Thing is, Project administrator on "Project A" could give access to individual users or group on that group as "users" instead of "read-only" and that's what I am looking to block.

I don't want a "Project administrator" to be able to give users in that group a role where they could input data on our Jira instance.

Not sure it's more clear with the example... 

 

Thanks

Like
Mark Segall
Mark Segall
Community Champion
February 2, 2024

Thanks for the added context.

Unfortunately, this isn't possible with native permissioning because as soon as an individual/role is granted Administer Projects permission, they are free to add whatever users they want to the project. 

The only real option is a bit of a clunky workaround that could be handled by way of the workflow.  For each status in each workflow employed by the project, you could add properties that explicitly deny permissions to your desired group which would serve as an override even if the project admin adds the group or members of that group to the project (I'm not aware of a single property that can address every use case so it'll be several properties that you'd need to add). For example, you would add this property to deny the ability to comment

 jira.permission.comment.denied YOURGROUP

Here are additional references:

https://confluence.atlassian.com/servicedeskcloud/useful-workflow-properties-for-jira-cloud-1097176552.html

Toward the bottom of that page, the article links to this page providing a list of the permissions you'd need to consider adding properties for:

https://www.j-tricks.com/tutorials/permissions-based-on-workflow-status

NOTE - In order to enable other projects to allow those individuals, you would need to ensure that those other projects do not share the same workflows.

 

Like Arthur S likes this
Arthur S
Arthur S
Contributor
February 2, 2024

@Mark Segall 

 

You're right, that would do the job but it's too much to implement. I will propose this solution but not recommend it.

 

Thank you.

Like Mark Segall likes this
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
SERVER
VERSION
9.4.7
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.