Please see the details below on where I am on this topic and the outstanding question I still have.

I am site admin and we are using Jira cloud. I have created a couple of projects with the Company managed template. I have been able to achieve the following for our projects:

Step 1: I have created 2 new groups (Srcum Team, and Read Only/Client).

Step 2: I created a new scheme from the default software scheme. In this new scheme I replaced all of the instances of (Application access: Any logged-in user) with (Group: Scrum Team). Then I added (Group: Read Only) to the Browse Projects permission section only in the same scheme.

Step 3: I added all of our users who will be working on this project to the Scrum Team Group and I added the customer to the Read only/Client group 

Step 4: I applied the new scheme to our projects.

Important Note: after doing steps 1-4 above, I am part of the Scrum Team but was not able to view the project at all. Then I realized that there is one small step that is not mentioned in any of the articles that had come across (At least it was not clear to me as a beginner). That step was to add the product to any newly created groups so that those new groups that you create have user permissions on the Jira Software product. After I realized that I did step 5

Step 5: Go to Site administration → Groups and locate the newly created groups, click on one the newly created groups, then under the Group product access section click on add product. Select Jira Software and make sure this new group has a user permission role on the product. Repeat this process for any other newly created groups.

Now, steps 1-5 above gave me what I need using groups in my permission scheme to create a simple access control path on my projects.

The outstanding question I still have is: How do you perform the same thing but using project roles instead of Groups?

I have created the project roles and added them to my Scheme. The one step that I have not figured out yet is how to do Step 5 above for project roles. 

Please let me know what I am missing here. Once I hear from you I can share the big vision that I have for creating a good access control path for our different teams and their projects.

Thank you,

Sama

Hello @Sama Bahjat 

Welcome to the community.

Are you work with only Company Managed projects, only Team Managed projects, or a mix of both?

@Michael Andolfatto 's answer applies to Company Managed projects only, and would not affect users' access to Team Managed projects.

Here is a more detailed article explaining how to grant access to only one Company Managed project for a group of users, and it includes granting Read-only access.

https://community.atlassian.com/t5/New-to-Jira-articles/How-to-give-a-user-read-only-access-to-a-single-project-and/ba-p/1010143

Please let us know if you are working with Team Managed projects and are trying to limit users access to those also.

Hi @Sama Bahjat , welcome to the community!

I'm unsure of your user's permission level but on a Cloud instance, those who are members of the site-admins group will have the ability to modify user/group information.

For your questions:

1. Yes - each Jira project has a set of permissions (e.g.  Create Issues, Edit Comments, etc.) and these permissions are linked to either an individual user, or more commonly, a Jira group or a project role. If you want to give access to a group of users for only one project, you can go into your project's settings and click on People. From here you will be able to add an existing Jira group into a project role. 

2. Yes - as I previously mentioned, there are many individual permissions in a project. You can assign the "read-only" ones to a specific project role, and then add the desired group into this role which will allow members to browse the project and read issues without editing them.