Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Limit Client Access to Jira

Lydia M
Lydia M
Contributor
July 28, 2023

I have a request to set up a Company Managed project on our Jira instance for a client group. So far, nothing I've tried lets me invite an external user with access limited to only the project to which they are assigned. The documentation I've found seems to be very outdated.

I have set up the project with a Restricted Access permission scheme and a Group that is assigned the Client role in the project. The Client role does not have Browse Project permission. 

I feel like I need to create a new Global Permission role that grants product access, but limits to specific Project Groups? What am I missing?

Answer
Watch
Like John Funk likes this
836 views

2 answers

1 vote
Ste Wright
Ste Wright
Community Champion
July 28, 2023

Hi @Lydia M 

To confirm, you have...

  • Set up a Company-managed Project
  • Need an external client to see this Project
  • But, they should not see any of the other Projects
  • ...is this correct?

There's lots of potential reasons this is not working - I'll summarise what I'd do to make this work.

---

Platform Access

All users (external or otherwise), need a Jira license to view Jira Projects. You need to ensure that all the client's users have these set per individual email address.

Things I'd consider:

  • Whether the default Group - jira-software-users - should have access to any Projects. It could create a data security issue if it does. It can still be used for basic platform access though
  • Adding all external users to a Group per client, making it easier to track them
  • Given the default Group might become unused, it might also be beneficial to add all internal users to their own Group, eg. direct-employees
  • Assuming you're using Atlassian Access, any external users won't necessarily be required to use your SSO/SAML/2FA settings. In this instance, I'd consider checking out what options there are to activate external user security 

---

Global Permissions

  • I'd consider removing jira-software-users from the Global Permissions, using the external/internal Groups instead to control what users can do. This adds an additional layer of security if you wish to limit access to certain global permissions
  • See this help page for more information on global permissions

---

Existing Company-managed Projects

You need to check how existing Projects are setup, particularly in relation to Permissions. I'd check:

  • Permission Schemes don't allow all users to view them, i.e Browse Projects is not provided to "any logged in user", or "jira-software-users"
  • Issue Security Schemes also do not have either of these settings in use

If Projects are using Project Roles in the "Browse Projects" permission, I'd also consider either...

  • Informing Project Admins that external users have access to the platform, and to be cautious when adding users to Projects so they don't accidentally grant them access, or...
  • Limit "Browse Projects" for all Projects to be via Groups only. Whether this is necessary depends on your data security needs as a business

Finally, I'd check every existing Project's People settings, to ensure the new external users won't have any accidental access (including via the default jira-software-users role).

---

Existing Team-managed Projects

You need to check:

  • No Projects have their access settings set to "Open"
  • The default jira-software-users Group doesn't have any specific role. If it does, replace it with the internal users role

Similarly, you also the need to either:

  • Inform Project Admins that external users have access, and to be careful or...
  • Limit the use of Team-managed Projects - this is because you can't stop a Project Admin modifying the access settings like in Company-managed

If users have the ability to create their own Team-managed Projects, and you decide to limit their use, you'll also need to remove user access to "Create team-managed Projects" in the Global Permissions

---

Project Roles

Check all Project Roles to ensure that they're not adding "all users" via Default Membership to newly created Projects.

I'd still do this even if you remove the use of "jira-software-users", to ensure no other catch-all Groups exist.

---

Setup new Project

Finally, I'd create the new Project's permission scheme.

  • At minimum external users will need the Browse Projects permission to see the Project.
  • You should decide what other permissions might be beneficial - eg. Comment permissions, if you want the external users to ask questions?
  • Add their access via their Group membership
  • You can add the external users to Project Roles, if you'd like to allow Project Admins to control their level of access. If you need the Projects to be more secure though, I'd consider adding all permissions (internal or external) via Groups, so only Site/Org Admins can modify membership, and have access to audit them more easily.

---

Document

Given the amount of security settings here, I'd consider documenting the platform access model.

---

Let us know what you think!

If you want more instructions on how to do anything specific above, drop a comment below :)

Ste

View More Comments
Lydia M
Lydia M
Contributor
July 31, 2023

Hi Stephen, thanks for your detailed response!

So far:

All 3 of your assumptions are correct. 

Platform Access: The jira-users group is for our internal users and allows full access to Browse Projects. We have an external-users group as well that is supposed to be limited. As far as I can tell, the access does not differ significantly from jira-users based on my testing. I can't seem to get back to where I can see what the permissions are or how to change them. 

I have already added a client group at the project level with a limited permission scheme, but the Platform Access is overriding it.

We are not currently using Atlassian Access.

Global Permissions: I found the page you linked in your response prior to posting my question and could not derive a solution from the information provided.

Existing Projects: As I did not set up our Jira instance, I don't know how old projects were set up by the people who set it up and have now left the company. I can only say that all my current projects are set up using appropriate security parameters. Apparently I have some work to do with regard to governance and user/project permission review. At least we do not have any "all users" settings currently in effect.

New Project: See above re: already created w/limited permission scheme. The problem I'm running into is that the platform access incudes Browse Projects at the platform level.

I'm going to see if I can figure out how to modify the existing external-users group so that they need to be added by project to browse projects. I also found an employee-users group that apparently has not been used. As I said above - clearly I have some work to do...

Thanks,

 

L

Like
Ste Wright
Ste Wright
Community Champion
August 3, 2023

Hi @Lydia M 

Browse Projects is only controlled through Permission Schemes, there's no global setting for this.

That means existing Projects have provided access beyond your need and/or your Permission Scheme isn't set up as required.

Could you provide a screenshot of your "Project permissions" (just the top section)?

---

I'd also check jira-users is not a default Group, i.e the external users aren't also being added to this Group as it's the one "everyone" gets.

Ste

Like
Reply
0 votes
Benjamin
Benjamin
Community Champion
July 28, 2023

Hi @Lydia M ,

 

You are likely doing everything right. Unfortunately, there are projects that probably allow all users or all license users to view their projects. So, when your client logs in, they can access those other projects. 

 

If your company has Jira Service Management projects, that may be another option. In Jira Service Management, you have the capability to invite external customers to access a portal to submit request.

 

https://www.atlassian.com/software/jira/service-management

 

You can sign up for a free plan to try it out.

View More Comments
Lydia M
Lydia M
Contributor
July 31, 2023

Hi Benjamin, we do not have Jira Service Management, and this team will be using Jira for more than service requests.

Thanks for the suggestion.

Like Benjamin likes this
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.