Why do it?
Here at DataStork we work with clients and often they want us to host development tools like Jira, Bitbucket, CI/CD, etc. As a result we have encountered the common issue of Cloud Jira allowing all logged in users to contribute to all projects available. Such occurrence is unacceptable for our partners as some of the data is secured and contains great business value for them.
Here are the steps you need to follow to secure your Cloud Jira:
- Allow your clients’ users to access solely their own projects and not others.
- Allow your clients’ users to have view-only permissions on some of the projects.
- Allow members of your organisation to access all projects in view-only mode.
- Allow members of your organisation to be contributors or administrators per project.
How to do it?
In short, you will find details on the following actions:
- Modifying the Default Permission Scheme so it does not allow logged in users to access the projects.
- Add Contributor and Administrator project roles instead of the Application logged in which is used in most of the permissions.
- Add one new additional project role called Viewer, and then attach this role in the permission scheme to the view only permissions.
- Create a new group of users called all-projects-viewers and add staff members that are allowed to see all projects.
- Assign the newly created group a Viewer role set to all projects visible for staff members.
- Remove the jira-software-users group from all projects as all registered users, including our clients’ users, will be added to a default group with access to the Jira product.
- Add clients’ users only to their projects and assign them either a Contributor or an Administrator role, depending on the extent of control that your client wants to have on their Jira project.
- Restrict users’ ability to create Next Gen projects in order to keep the organisation in tact.
In Cloud Jira we work with several entities. Now, we will show you how to navigate to the configuration entry points for them.
- Site Settings
- Jira Product Settings
- Project Settings
Where is Site Settings?
This setting gives you the ability to manage what products you should have in your Atlassian account. From the Site Settings you can manage the users and groups that can use Atlassian products.
Where is Jira Product Settings?
Here you can tune everything in the Jira product: from permissions to roles, look and feel, to types of projects, agile boards, etc.
What is needed:
- System – to create new project roles.
- Projects – to navigate to the projects.
- Issues – to set up the permission schemes.
Where is Jira Project Settings?
Here you can setup all configurations in the bound of a single Jira project. To achieve that, we will assign groups with proper project roles.
Go to Jira Settings -> Projects
Secure Your Jira Step-by-Step
Step 1. Add New Project Role: Viewer
Go to Jira Settings -> System -> Project Roles
Creating a new Project Role that includes:
- Name: Viewer
- Description: A viewer is a person who can browse all projects, see issues, comments, etc.
Step 2: Modify Default Permission Scheme
The Default Permission Scheme will be used for every newly created project and allows to set entity to permissions. To achieve our goal, we chose to give permissions to project roles. This is the easiest way to imply control on the access that could be regulated from Project Settings.
You can decide to do all the settings here in a new Permission Scheme. The risk is to forget to apply that new scheme to newly created projects, as it is up to you to maintain it.
There are several other ways to achieve the same goal, such as directly assigning user groups or a specific user to a permission. We do not advise that as working with project roles gives the best level of fine control.
Go to Jira Settings -> Issues -> Permission Schemes
Here we will cover the following actions:
- Revoke access to permission for logged in users.
- Revoke access to jira-software-users (if it was previously granted).
- Grant access to most of the permissions to the Contributor role.
- Grant access to all of the permissions to the Administrator role.
- Grant access to a set of view-only permissions to the Viewer role.
Remove Any logged in user and jira-software-users from all given permissions.
Grant Access to Contributors
Grant access to project role Contributor to the handiest permissions (not as destructive as Delete All …)
- Project permissions
- Issue permissions
- Voters & watchers permissions
- Comments permissions
- Attachments permissions
- Time tracking permissions
Grant Access to Administrators
Give project role Administrator access to all permissions.
This is an example of how the permissions should look like. The screenshot shows only the first block, but the same principle is applicable for the rest.
Step 3: Assign the Default Permission Scheme to Projects
Check if all projects that need to be secured work with the Default Permission Scheme that we modified in the previous step.
Step 4: Create User Group all-projects-viewers
Go to Site Admin -> Groups
Create a new user group:
- Name: all-projects-viewers
- Description: Used to view all allowed projects; do not add external clients here!
Step 5: Update Project Groups
Add the new user group all-project-viewers to all projects. Assign the Viewer role to that group.
Remove jira-software-users group from all Projects (if present). Otherwise, all logged in users will be able to access the project.
Using the same settings screen you could add your clients’ users as Contributors to the specific projects they need access to.
Step 6: Secure “Create Next Gen Project”
Restrict all users from the ability to create Next Gen project types by removing Anyone and/or jira-software-users from the global permission.
Go to Jira Product Settings -> System -> Global permissions
Step 7: Test User Permissions
There is a way to test the user permissions. Bear in mind that the Login as user option requires to switch to the old UI Jira style. It is possible that the program switches back and forth between the new and the old style, so better check both screenshots below.
We demonstrated how to create your Cloud Jira projects in such a way that your clients are satisfied and have access to the content needed. Furthermore, we set up a way for your company’s staff members to have view-only access to all projects. This way your employees can keep track of the process and the development of the sprints, as well as get insights on different projects and their current tasks.
In case you need to give project access to a new user, all you need to do is add them to the projects People tab assigning them either a Contributor or Administrator role.
If the new user is a company staff member, you could also add them to the all-projects-viewers group.
For a newly created project, apply the Default Permissions Scheme. You should also add the all-projects-viewers group and jira-administrators (in case it is not already added). You could choose to copy the settings from an existing project when you create the new one. That will copy the basic project settings with its permission scheme but will not copy the users or groups that could access the project.