That's fantastic Nic, thanks so much for the info. I was not aware that users can be excluded from the "can log in" group.

I'm not able to find this in the documentation. Would you happen to have a link to where this is in the Jira documentation?

No idea. I suspect it's so simple, I've never looked for it! The users will look like any other user and you add them in the same way (then delete them from any can-log-in group, as Jira will add them to that automatically if you're using it's internal user management)

To find out the can-log-in group, look in Admin -> Global permissions. It's usually just "jira users"

I tested this by removing one of our virtual user accounts from the jira-users group, but after doing this I could not assign a new issue to this virtual user. So I'm not sure this will work. I'm going to change the status of your answer until I can confirm that this will work, but I am feeling hopeful about this. Let me know if you have any other ideas.

Ah, the joy of permissions.

It's quite likely that you're using the off-the-shelf permissions, or permissions that are similar to them. Much as I understand why they're kept simple for defaults and new users, they really are a dreadful example of how to do permissions in Jira and I've been asking Atlassian to create a better default for years.

The problem is that the defaults use jira-users in lots of places. This means you add someone to jira-users, they get all the rights in projects that you expect and makes it an absolute bloody nightmare to unpick later when you need to do anything clever with permissions, like use dummy users or

The standard thing to do is

1) Remove jira-users group from all permission schemes, everywhere. It should not be used for anything other than "can log in" (and possibly some of the other global permissions. But never permission schemes). I often create a new group called "can log in" and swap to using that for logging in, to make it abundently clear.

2) Where you remove jira-users from permission schemes, replace it with appropriate alternatives. To keep it simple to start with, use a flat replacement (later, you can use "roles", multiple groups, custom fields, but that's going way beyond this question). Create a group like "project user" as a replacement for jira-users and whack all your existing users into it.

Now, for this question, you can put every account into "project user" and they'll get all the rights they need. Then, you remove your dummy user from jira-users, and you'll find you can treat it as a normal user, except that it can't log in.

Thanks for taking the time to explain all of this Nic. I really appreciate it.