Define company-managed project permissions with schemes
20 min
Advanced
By the end of this lesson, you’ll be able to:
- Describe permission schemes
- Create a permission scheme
- Configure company-managed project permissions in a permission scheme
- Configure a permission scheme using roles
What are permission schemes?
For company-managed projects, you’ll use permission schemes. A permission scheme grants project permissions, like Browse Projects, to users, groups, and project roles. Only Jira admins can create permission schemes and associate them with company-managed projects.
Team-managed projects don't use permission schemes. Team-managed project admins have more control over their project permissions as they don’t rely on Jira admins for configuration. However, their project permissions are less flexible.
Permission schemes prevent Jira admins from having to configure permissions individually for every project. Some Jira sites have hundreds of projects, so this saves a lot of administrative work. Jira admins can associate a permission scheme with one project or share it across many projects. This also helps users as their interactions with projects will be consistent.
👉 For example: Nell is a Jira admin. After talking to her team leads and Jira users, she realizes that business teams, like Marketing and Legal, have different project configuration needs than software development teams. She configures two permission schemes to meet their requirements. The Default permission scheme applies to any new company-managed business project. The Default software permission scheme applies to any new company-managed software project.
To access the permission schemes in your site:
- In the upper-right corner of Jira, select the Settings icon (represented by a gear).
- Under Jira admin settings, select Work items.
- From the sidebar, under Work item attributes, select Permission schemes. This is the Permission schemes admin page.
Configure a permission scheme
Create a permission scheme
You’ll first need to create a permission scheme before you can configure it.
To create a permission scheme:
- On the Permission schemes admin page, select Add permission scheme.
- Enter a name and description that accurately and clearly describe the purpose of that permission scheme. This will help you and other Jira admins associate the appropriate schemes to projects.
- Select Add.
After you create it, the permission scheme includes a list of all permissions, but no users, groups, or roles.
If you already have a permission scheme that’s similar to what you want to configure, you can copy and modify it. On the Permission schemes admin page, next to the scheme you want to copy, select Copy.
Grant permissions to users, groups, and roles
Next, you’ll grant the permissions in the scheme to a variety of users, groups, and roles.
There are two ways to grant a permission in a scheme:
- On the permission scheme's admin page, next to any permission, select Update. Select who you want to grant access to, then select Update.
- On the permission scheme's admin page, in the upper-right, select Grant permission. Search for and select the permission you want to update, then select who you want to grant access. If you want to grant additional permissions, select the Grant another permission checkbox. Select Grant.
👇 Click the boxes below to learn more about who you can grant permissions.
Let’s explore some examples of how you’d configure a permission scheme.
👉 First example: The Default software permission scheme is very open, with many permissions granted to any logged in user. However, some software projects need to have more restrictive permissions for security reasons. You create a more restrictive permission scheme where only members of the Developers group can browse projects, create work, and add comments to work in associated projects.
👉 Another example: You create a Development permission scheme where any logged in user can browse projects and edit work. However, only users with the Administrator project role or the Scrum Lead project role can manage sprints.
When you grant a permission to multiple entities, like two project roles, users have to be in either role, not both.
👇Watch the video below to see how to configure a permission scheme.
Associate a permission scheme with a project
To apply the permissions in a permission scheme, you need to associate it with one or multiple projects. Only Jira admins can associate permission schemes with projects. If a project’s permission scheme grants permissions to roles, though, the project admin can assign users and groups to that role. Other than that, the project admin can’t configure permissions.
When you first create a company-managed project, it will use the default permission scheme associated with that project type.
👉 For example: All new company-managed software projects will use the Default software scheme.
You can change which scheme a project uses after you create the project.
To associate a permission scheme with a project:
- Open the project in Jira.
- In the sidebar, next to the project name, select More actions (represented by ···), then Project settings.
- In the project settings sidebar, select Permissions.
- In the upper-right, select Actions, then select Use a different scheme.
- Select your scheme, then select Associate.
👇Watch the video below to see how to associate a permission scheme with a project.
Troubleshoot permission schemes
Many parts of Jira interact with permissions, so there are some implications to remember:
- Workflows impact permissions. You can configure conditions and properties for workflows that prevent users from transitioning or editing work, even if their project’s permission scheme enables them to.
- Product access impacts permissions. Users need access to a product in order to do anything they have permission to do. They can’t browse projects in Jira Service Management if they don’t have access to the product.
Let’s explore an example!
Ayo is a Jira admin. She meets with a group of software project admins who have special requirements. Certain team members need to be able to delete work. Normally, only admins can delete work items. But, we don’t want to give full admin permissions to these team members.
☝️How can Ayo meet this requirement?
Ayo, the Jira admin, will:
- Create a custom project role called “Work managers.”
- Create a new permission scheme called “Alternative software permission scheme” and note the Delete Work Items permission in the scheme description.
- Assign the Delete Work Items permission to the Work managers role.
- Associate the Alternative software permission scheme with the necessary projects.
The project admins will add the necessary users to the Work managers custom role for their projects.
If this requirement applied to all Jira projects, Ayo could just modify Jira’s default software permission scheme. However, since only a small group of projects have this requirement, Ayo should create a new scheme.
How was this lesson?
next lesson
Define work item security for company-managed projects with schemes
- What is a work item security scheme?
- Configure a work item security scheme
- Impact of work item security in Jira