Allow assignees to browse issues without exposing project info in Jira Data Center
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Granting the "Browse Project" permission to any of the following entities in a project's permission scheme allows all users to view project information, such as the project name, project key, and so on.
- Reporter
- Single user
- Current assignee
- User custom field value
- Group custom field value
Cause
Permissions for all of these entities are granted on the issue level, and not the project level. When you create the first issue in your project, it will be restricted to the entity you've chosen (e.g. current assignee), but the whole project will be visible to anybody, as there are no project-level permissions that would restrict it (for example, role Administrators).
If you’re looking to hide the project, you need to assign the ‘Browse project’ permission to a role or a group, and then use issue security levels to further restrict particular issues.
Hide the project, then use issue security to selectively allow users to view issues
Start by hiding the whole project. You can do this by setting the "Browse Project" permission to one of the following entities. Permissions for these entities are granted on the project level, and will work before you even create the first issue.
- Project role
- Application access
- Group
Once you've hidden the project information, you can further restrict issues by using issue security schemes and security levels. For more info, see Restrict users to see only assigned or reported issues in Jira Data Center.
Enable optional security type in Jira configuration
To work around this issue with Assignee and Reporter, you may enable the optional "Assignee (show only projects with assignable permission)" security type. This security type allows you to restrict project browsing to "assignable" users (i.e. users which can have issues assigned to them) in a project permission scheme.
You can use this security type instead of "Current Assignee" in your project permission schemes. More information regarding the Reporter on Current Reporter Browse Project Permission
To do this:
- Edit the
WEB-INF/classes/permission-types.xmlfile Find the following code and uncomment all code in the <type> tag:
<!-- Uncomment & use this permission to show only projects where the user has the assignable permission and issues within that where they are the assignee --> <!-- This permission type should only ever be assigned to the "Browse Projects" permission. --> <!-- Other permissions can use the "reporter" or "create" permission type as appropriate. --> <!-- <type id="assigneeassignable" enterprise="true"> <class>com.atlassian.jira.security.type.CurrentAssigneeHasAssignablePermission</class> </type> -->- Restart Jira
- Configure the permission scheme for the project, remove the "Browse Project" permission from "Current Assignee", and assign the "Browse Project" permission to "Assignee (show only projects with assignable permission)"