Global Permission or Group? Clearing up confusion on JIRA Administrators

admin-img

We often get several questions in class about the differences between JIRA System Administrators and JIRA Administrators, especially as they relate to Global Permissions & Groups:

  • What is the difference between JIRA System Administrators and JIRA Administrators?
  • Why is there a JIRA Administrators Global Permission and a jira-administrators group?
  • Why does JIRA Cloud version only have JIRA Administrators?
  • Why does JIRA Cloud have three default admin groups?

Defining Global Permissions

JIRA Global Permissions (found under JIRA Administration – System – Security – Global Permissions) are a finite list of 5 or 6 permissions: JIRA System Administrators (server only), JIRA Administrators, Browse Users, Create Shared Objects, Manage Group Filter Subscriptions, and Bulk Change.

Anyone who is a member of a Group with the JIRA Administrators Global Permission can assign other Groups to Global Permissions, and these assignments apply across the entire JIRA instance (hence the name global). The assigning of Groups to Global Permissions is all you can do with them – you cannot configure or customize any Global Permission.

Two different Administrator Global Permissions

The JIRA System Administrators and JIRA Administrators Global Permissions represent administrative power at two different levels. JIRA System Administrators has complete administrative functionality, while JIRA Administrators is more limited.

There is no JIRA System Administrators Global Permission in JIRA Cloud. It exists only in JIRA Server, because JIRA System Administrators functions for JIRA Cloud are managed by Atlassian. This is also the reason why the cloud instance has less System options available in the tree on the left hand side of the page.

Organizations using JIRA Server who need to delegate certain administrative permissions, such as project management, without granting broader administrative permissions, such as licensing, may find the separation of JIRA Administrators and JIRA System Administrators Global Permissions useful.

What’s so special about JIRA System Administrators?

The following is a list of specific activities that are limited to the JIRA System Administrators Global Permission on JIRA Server. On JIRA Cloud, some of these are available to the JIRA Administrators Global Permission.

  • View or manage tasks from the the Systems menu.
  • Configure JIRA’s SMTP mail server for notifications (but JA can configure POP/IMAP mail servers for the receipt of email messages that create issue comments and new issues, and fully administer email notification schemes).
  • Configure a CSV source code repository (but JA can associate a project with a configured repository).
  • Configure listeners.
  • Configure services (except for POP/IMAP services).
  • Configure issue cloning.
  • Change the index path (but JA can reindex and optimize the index).
  • Run the integrity checker.
  • Access logging and profiling information.
  • Access the scheduler.
  • Export/backup JIRA data to XML.
  • Import/restore JIRA data from XML.
  • Import XML workflows into JIRA.
  • Configure attachments (JA can set the size limits of attachments, enable thumbnails, and enable ZIP support).
  • Add gadgets to the gadget directory.
  • Configure User directories (e.g. LDAP).
  • Configure Application Links that use an authentication type other than OAuth.
  • View User sessions.
  • Access license details.
  • Grant/revoke the JIRA System Administrators Global Permission.
  • Edit (or Bulk Edit) Groups that have the JIRA System Administrators Global Permission.
  • Edit, change the password of or delete a User who has the JIRA System Administrators Global Permission.
  • Upload and/or install an add-on.

It is recommended that people who have the JIRA Administrators Global Permission (and not the JIRA System Administrators Global Permission) are not given direct access to the JIRA filesystem or database.

Global Permissions are not Groups

Several default groups (e.g. site-admins, jira-administrators, and administrators) are similar to Global Permission or Project Role names (e.g. JIRA Administrators), so it is very easy to become confused. Just remember: Global Permissions are not Groups.

Groups are just virtual buckets into which you can place users. The group names can be changed. The groups can be deleted. The jira-administrators Group is merely a group, created by default, that has been added to the JIRA Administrators Global Permission. You can delete this group at any time if desired.

The site-admins group cannot be deleted, of course, because no one would be able to manage the site (billing, group management, users, etc.). The group site-admins has special abilities that resemble the JIRA System Administrators Global Permission. It is the only group that has, and can have, these special abilities.

On JIRA Server, if you want to differentiate users into JIRA System Administrators Global Permissions and JIRA Administrators Global Permissions, you should create a second group, e.g. jira-System-administrators. Then you can add that group to the JIRA System Administrators Global Permission.

On JIRA Cloud, the jira-administrator and administrator Groups are redundant. This is probably due to the fact that over time JIRA has removed certain administrative features from the cloud environment. Perhaps originally these two groups more closely reflected to the two Global Permissions (JIRA System Administrators and JIRA Administrators).

Additionally, if you want to add groups to the JIRA Administrators Global Permission on JIRA Cloud, you need to do so via Application Access Configuration.

What about those ADMIN and ACCESS labels in Groups?

The permission “labels” that show up in Groups are not very well defined. In fact, when you look at the table the labels column doesn’t even have a header. However, here is how these labels are loosely defined:

The ACCESS label on the site-admins Group is a JIRA System Administrators marker. site-admins is the only group that can have this marker.

The ADMIN label denotes having an Administrator Global Permission in a given Atlassian Application. In the case of JIRA Cloud, this is the JIRA Administrators Global Permission.

The DEFAULT label denotes basic JIRA user permissions and appears to be related to non-admin functionality.