JIRA Software project permission - restrict user access to one project

thanks. there is no way I would have figured that out myself. 

A few changes:

- in part 4 section 3, do the grant of the group internal before removing the any logged in user.  it is easier to see where you are in the long list.

- in part 5,section 4 the group is external, not abcd, and it is easier to say add the group to where ever you see the internal group

And, there should be an easier way than to spend lots of time doing all theses steps.

Whoa @Claudiu Lionte this is exactly what I was looking for! I'm sure many others would appreciate the time and attention to detail you put into this step-by-step guide. Thank you so much for doing that. 

It'd be great if your steps were just added to the JIRA official documentation. I know there are lots of repeat questions with the same ask (I just submitted one a few days ago...and only found your answer now).

@Nathan Zylbersztejn Did you get the project restrictions to work like you needed? If so, it'd be great for you to "Accept" Claudiu's answer so that it'll be ranked higher in future related searches 👍🏼

@Claudiu Lionte Quick question: Is there a reason why you're shying away from granting the Browse Projects permission to Roles, instead of the 2 specific groups?

I imagine that'd make future project admin easier too, but curious to hear your thoughts.

Hi @Johnson Wang,

There is no technical reason for me to recommend groups over project roles. In fact, it is, indeed, best-practice to use project roles instead of user groups.

The reason why I created this procedure using groups instead of roles is simplicity, as project roles will add a separate level of complexity and, especially for admins new to Jira, might create more confusion. 

@Bob_Gifford Thank you, I will edit my answer to correct the small mistakes that you spotted.

Very helpful. Thanks for posting this answer.

@Claudiu Lionte Umm.. I think i still have an issue.. Still external user can see all my other projects, any help would be appreciated on this please? 

They are being allowed in with the permission scheme. You need to look at the permission schemes to see if they belong to ANY group that is getting permission. As I I and others have stated, by default JIRA puts the jira-users group access (depending on release the group may have a different name). The best way to control access is to remove ALL groups from the permission scheme and use project roles. The project admin controls membership in the roles so there won't be any surprises in accessing the project. By using roles you can have one permission scheme for all projects. 

Thanks @Joe Pitt & @Claudiu Lionte, probably I will try again to follow all steps, not sure where I am making mistakes. but anyway this was very useful. I will try again and see where I missed..

Doesn't this require any change to Application level group permission (by default include only jira-users) ?

I asked that because even after I add a (external) user to client group, he/she still has to be in jira-users, hence by default will see all existing projects that have jira-users in the User role (which is included by default)

The basic problem with using the jira-users group in any permission scheme is it is ever changing. Whenever a user gets an id they are automatically added to all groups that have logon rights. The best way to get control over who can access what is to use project roles. It gives the best granularity and allows project admins to allow only those users to have access that should. It is the standard best practice security model. Since all project roles are universal and appear in all projects one permission scheme can be used across all projects. 

Hi Joe, You are totally right with the project roles argument here. So no question about it.

The question #1 here is just for Part 1 of the instruction above, to understand better the need to replace default jira-users (where all users are in) by Internal group. I hope that I don't need to create Internal group, and just use jira-users for all users except Bob. It will simplify the changes we need to make to all the permission schemes which used jira-users group before.

You don't want to create an internal group. You want to stop using groups in permission schemes and convert to project roles.  You can add the project roles and convert over a period of weeks project by project. JIRA admins need to administer groups. Project admins add/delete users from project roles. 

You are right again. Sorry, for the confusion.

I don't use group in permission schemes, but I have to grant jira-users group the Users Project role (and/or other roles) for every project in the Project configurations, (not in the permission scheme). 

Let me rephrase my question by rewriting the instruction above by a simpler steps here and hope that someone would tell me if it still works, or not:

Part 1: Create the 1 new group called External:

1. In the bottom left corner of your Jira site, click on the hamburger icon ( ☰ ), then Site Administration → Groups
2. On the top-right corner, locate and click on Create Group. Name it External and add a description. This will be the group where you will have to put restricted users like Bob.

Part 2: Give application access to the group External:

1. On the left-hand side bar, click on Product Access then click on View Configuration at the top-right corner
2. Under the Jira Software section, click on Add Group and then add the group External

Part 3: Assign Bob's user to the group External:, and take Bob out of jira-users group

1. On the left-hand side bar, click on Users then find Bob's user account
2. Click on the user Bob, add this user to the group External. And remove Bob out of jira-users group.

Part 4: Add Bob to the appropriate Project Roles of the only project, AAA, which he needs access

1. Navigate to your Jira's homepage, then click on Settings → Projects
2. Click on the project AAA
3. Locate and click on the Users and roles on the left side bar 
4. Click on Add users to a role on the top-right corner, then add Bob to the appropriate roles there

Assuming that all the projects are currently working as expected prior to Part 1. Then can I use the instruction above to just give Bob access?

And if there additional users like Bob in the future, I can just following Part 3 and Part 4 for them. Does it work?

I think I missed the first step to ensure NO permission scheme allow 'any logged in user'. This must be made, before my steps above hold:

Part 0: Modify the current permission scheme to remove access for any logged-in user and replace that with the group jira-users.

1. Navigate to your Jira's homepage, then click on Settings → Issues → Permission Schemes
2. Locate the Default Software Scheme and click on Permissions
3. Look at each permission and locate the ones that include Any logged in user. For each permission that has Any logged in user, do the following:
   1. Click on Remove, tick the box for Application access: Any logged in user and click Remove
   2. At the same permission, click on Edit, tick the box for Group, type jira-users and click on the result and then click Grant

I think the cloud is setup a differently than the server version. The jira-users group contains all the users so by granting it access you grant everyone access. The point I'm trying to make is to stop using any group allowing login access from permission schemes. The cloud may work differently, but any time a user is added they are automatically added to all groups, except admin, that allows login access. Almost anyone using groups in permission schemes will eventually have a problem restricting access. 

Thank you Mikael. The link explains concepts but not how to do the simple thing i need.

I created a new permission scheme, added this project to the permissions scheme and removed it from the default one. Created a group,  add an external user to this group, and added browse and manage project permissions for that group to the scheme

When I log in as this user, I can see all projects but the one he's supposed to have access to... What am I missing?

Ni Nathan,

If you need more help on this, I've created a new KB with a step-by-step in the New Interface of Jira Cloud to better illustrate them, so I'd recommend you to check it out!

How to restrict project access for Teams in Jira Cloud

Please, let me know what you think!

Cheers