Page tree
Skip to end of metadata
Go to start of metadata

In order to facilitate administration and to improve security we have moved away from a group based authorization approach (*1) and now use a role based approach. We defined the following roles and their respective access rights in the Default Permission Scheme used by most projects. 

Permission

Anyone

Any Registered User

Contributors Project Role

Committers Project Role

PMC Project Role

Administrators Project Role

Administer Project

(error)

(error)

(error)

(error)

(tick)

(tick)

Browse Projects and Issues

(tick)

(tick)

(tick)

(tick)

(tick)

(tick)

View Commit Information

(tick)

(tick)

(tick)

(tick)

(tick)

(tick)

Create Issues

(error)

(tick)

(tick)

(tick)

(tick)

(tick)

Edit Issues (in addition to the reporter)

(error)

(error)

(tick)

(tick)

(tick)

(tick)

Set/Edit Issue's Due Date

(error)

(error)

(tick)

(tick)

(tick)

(tick)

Move Issues

(error)

(error)

(error)

(error)

(tick)

(tick)

Assign Issues To Others

(error)

(error)

(error)

(tick)

(tick)

(tick)

May Be Assigned To Issues

(error)

(error)

(tick)

(tick)

(tick)

(tick)

Resolve Issues (in addition to the reporter)

(error)

(error)

(tick)

(tick)

(tick)

(tick)

Close Issues (in addition to the reporter)

(error)

(error)

(tick)

(tick)

(tick)

(tick)

Modify Reporter

(error)

(error)

(error)

(error)

(error)

(tick)

Delete Issues

(error)

(error)

(error)

(error)

(tick)

(tick)

Link Issues

(error)

(tick)

(tick)

(tick)

(tick)

(tick)

Set Issue Security Level

(error)

(error)

(error)

(tick)

(tick)

(tick)

View Voters And Watchers

(error)

(tick)

(tick)

(tick)

(tick)

(tick)

Manage Watcher List

(error)

(error)

(error)

(tick)

(tick)

(tick)

Add Comments

(error)

(tick)

(tick)

(tick)

(tick)

(tick)

Edit Own Comments

(error)

(tick)

(tick)

(tick)

(tick)

(tick)

Delete Own Comments

(error)

(tick)

(tick)

(tick)

(tick)

(tick)

Delete All Comments

(error)

(error)

(error)

(error)

(error)

(tick)

Create Attachments

(error)

(tick)

(tick)

(tick)

(tick)

(tick)

Delete Own Attachments

(error)

(tick)

(tick)

(tick)

(tick)

(tick)

Delete All Attachments

(error)

(error)

(error)

(error)

(tick)

(tick)

Anyone with PMC or Administrators project roles can add users to roles. Go to the Administration page, select your project and click the view link on the far right. On the project summary page that appears, click the view members link.

Some projects want to let those in the 'Contributors' role assign issues, to themselves or to others. There is an appropriate 2nd Permissions scheme, Default plus Contributor Assign Permission Scheme, that adds this ability to those in the Contributors role.


Some Global Permissions to look out for:-


PermissionAnyoneAny Registered Userall-developers Jira group (deprecated)committers LDAP group
Bulk Change Issues(error)(tick)(tick)(tick)
Create Shared Objects(error)(error)(tick)(tick)
Manage Group Filter Subscriptions(error)(error)(tick)(tick)







(*1) - Previously , we used 'Group Based Authorization'. However this requires global 'Jira System Administrators' to be able to add/remove to each group. During a cull many
            moons ago, Infra removed over 150 'Jira System Administrators' that were purely in that position in order to be able to add/remove people from Jira Groups. With those people 
            removed, that leaves the Infra team fielding requests from projects needing to add and remove folk. This was unsustainable and did not match the self-serve model Infra is trying to establish. Therefore, we moved to using 'Role' based permissions in which any Jira 'project administrator' can add and remove individuals to roles. In late 2019, Infra enabled LDAP in Jira, and so this is now even easier, having $project and 
            $project-pmc LDAP groups assigned to the 'committers' and 'administrators' roles respectively. Under the current system, Infra does not have to do much adding and removing, aside from helping projects that need 
            to add Contributors.


2 Comments

  1. AIUI the group-based auth approach had various disadvantages and caused various issues.

    If these issues are documented somewhere it would be useful to link to that discussion.

    If not, then perhaps the rationale for the choice of role-based approach could be documented on this page or a related page.