Could you please confirm if the following solution would work:

- create a custom field as a drop down list with multiple values (site1, site 2, site3,...) - multiple values is important as some issues can relate to several sites.

- set up the security schemes based on this field

The expected result is:

- internal users can see all sites

- external users can see only issues related to their site

Additional question: can external users edit and/or create and/or comment issues for their site?

Thanks.

>set up the security schemes based on this field

This can't be done natively.  A security scheme is a collection of "levels".  Each level is a set of rules for users. (e.g. Top Secret = only people in group X, Secret = people in roles X or Y, and so-on).  You have to set a level to apply the rules.

Other fields have no direct impact on security.  The only way to make them do that is to have code that looks at the custom field and sets a level for you automatically.

You are going to need to have one level per combination of sites in order to do this.

Let me propose another solution:

- create a generic user for each site ("site1", "site2",...)

- set restrictions for these generic users based on the values of the custom field

Would this work?

No, because you need to set the level.  The custom field is irrelevant.

So there is no way to set different access levels based on a custom field ?

No, the levels are set by the level field.

There are some uses for a custom field - a level can refer to a user or group picker on the issue, but that won't set the level for you and relies on your users setting them correctly.

As far as I know, Jira is commonly used by service desk teams. Service desks usually manage several groups of users. How do these teams provide visibility to their different user groups, showing to each group only the information that is relevant to their group? For instance, the list of all outstanding issues for a given group?

If they are using plain Jira, then they tend to split it up by project.  Some projects then use security levels if they're going to want to hide specific things.

You can also use the more dynamic features in permission schemes.  For example, in old Jira versions "Reporter Browse" in a project used to mean "allow reporter to see their issues, but no-one else's (unless allowed via another route)", and that was finally implemented properly in just "Reporter" a few versions ago.

Or, you can layer Jira Service Desk over Jira projects.  That splits your users into "customers" who see only requests that they raise, and possibly their organisation's requests, and ones they are explicitly allowed to.  This is NOT the same as Jira access, which shows the projects to Agents and Jira Users (the other two types of user for JSD)