Software project types are visible to all JIRA users
By default, Software project types in JIRA are visible to all JIRA users. This might pose a potential security problem since all your JIRA users will be able to see and possibly access your company’s software projects. Having setup and customized JIRA for numerous customers and projects in the past this is one of the first issues you should definitely deal with from a security perspective. This post serves as quick note on how to disable access to all JIRA users for software projects types by default and configure access on project based settings instead.
Disable access to all JIRA users for software project types
Per default, the permission to browse Software project types in JIRA defaults to all users. to To overcome this potential security issue go ahead and have a look at the Browse Projects permission in your Default software Schema via the Permission Scheme settings, as shown below:
As you can see by default the Browse Projects permission includes Application access for Any logged in user. Since this setting supersedes the Project role related setting all of your JIRA users will be able to see your software projects by either browsing through the projects list (hence the permission named “Browse Projects”) or by simply using direct links.
Now since we want to set permissions on project level for our users we need to remove the Browse Projects permission setting for the Application access and only use the Project role instead. The screenshot below shows the correct setting for project based browse permissions for your JIRA projects:
You are now able to properly configure access to your JIRA software projects on a project based level and your JIRA users will only see those projects they are a member of.
Final hint: Make sure to check your Browse Projects permission for all of your remaining permission schemes. As always, enjoy JIRA 🙂