New User Roles on Jira Cloud and their relationship to Groups and Global Permission
Jira has recently announced several new user features for the Cloud instance. One major addition is User Roles, which will now allow Admins to categorize users.
- User Roles come in three types: Basic, Trusted, Site Administrator
- User Roles are different from Project Roles: see this article for info on Project Roles
- Admin User Roles are different than Admin global Groups
- User Roles will have a significant impact on user global permissions.
Let’s start by defining what the new User Roles are and how they work
When an Admin invites a new user to Jira they are now required to identify the user as one of these three Roles. As detailed below, a User Role may or may not have an effect on groups the user is assigned to. But keep in mind, by default any new user, regardless of role, is added at least to the group Jira-Software-Users.
Adding a user to the Basic Role will allow them the same global permission as the group “Jira-Software-Users”. When added to the Basic Role, a new user will show up belonging to the Jira-Software-Users basic user group, and only this group. Users in this role/group will have the permission to access and work in projects based on their Project Permissions. And as usual, these users will have access to all visualization tools (filters, board, dashboards) for those issues they have Project Permissions to see.
Site Administrator Role
Adding a user to the Site Administrator Role will allow them the same global permission as the group “Site-Admins”. When added to the Site Administrator role, a new user will show up belonging to both the Site-Admins and the Jira-Software-Users groups. These users will have full access to the broadest permission available in a Cloud instance. This includes Jira Admin rights (ability to create and configure projects) as well as Site Admin rights (user management and billing).
The Trusted User Role grants the user access to Jira Admin features, but not Site Admin features. Also, adding a user to the Trusted User Role will not add them automatically to any of the groups that have Jira Admin Global Permissions (like site-admins or jira-administrators). The only global group these users will be part of is Jira-Software-Users. However, even though Trusted User will only be in this basic user group, they will have those Jira-Admin permissions that exceed basic users.
Here’s where it gets interesting
The global Groups trump the User Roles. As a reminder, here are the list of the global groups.
For example, if a user has been added to Jira under the Basic User Role, the admin can still add them to the Jira-Administrator Group. In this case the user is Basic but has all the same rights as a Trusted user. Regardless of what User Role the user has been placed under, his permissions can be expanded if an admin adds him to a group with broader global permissions.
Here is another interesting example: Let’s assume a user enters Jira under the Site Admin Role. Then, as noted above, he will also be in the Site-Admin and Jira-Software-Users group. But suppose later, the admin removes the user from the Site-Admin group. In this case the user’s role will automatically change from Site Admin to Basic. And his group affiliation will only be Jira-Software-Users.
But how is the access level of a group determined?
In addition to adding the ability for Admins to assign roles to users, Jira has added a Product Access page that allows admins to quickly change access levels by group. This page includes two distinct sections. The first tab allows for Product Access to be changed for each group. For instance, the jira-software-users group shows up under Jira Software product access section but not the Confluence access section.
The second tab, titled Administration Access, allows for Admin access to be added, changed or removed for specific groups for each product in the instance. By default, the jira-administrators, site-admins, and administrators groups are already in this section for Jira Administration however you can also add any Custom Group needed by your organization to any of these sections and automatically give all users in that Custom Group admin rights.
One more thing….
Along with this addition of User Roles, a new Access section has shown up at the top of each user’s details as the Admin sees the user. This Access has been around for a while and historically has allowed an Admin to turn off a user’s access to Cloud platforms (i.e. user has access to Jira Software, but not Jira Service Desk or Confluence) for various reasons. One reason could be to save on the product’s user count.
However, this Access section looks and behaves a bit differently now. First, a new toggle switch has appeared called “Has access on site.” This switch controls whether the user can even access the Cloud instance. If turned off, the user will be able to come to the instance, but not be able to see or do anything.
The behavior of the other Access toggles are dependent on the user’s defined role.
- Basic: Product access toggles can be turned on/off independently
- Trusted: Product access toggles are grayed out and cannot be changed
- Site administrator: Product access toggles are grayed out and cannot be changed
This means if an Admin want to turn off a product for a user, the user must first be changed to a Basic user before the Admin can switch off the product.
One final, final thing…
It appears the addition of User Roles has created an addition to Global Permissions. A new (and somewhat unusual-looking) group has started to appear within the global permissions.
It is likely this group is programmatically related to the new Trusted User Role. This also would explain why a Trusted User has access to Jira Admin features while not being a member of any traditional admin groups (like Jira-Administrator). It is not clear why the group name has a lengthy and random selection of characters. Sometimes multiple Trusted User groups have appeared on this list. It would appear that Jira Cloud has created a new hidden group for Trusted Users that is only manifest in the Global Permission section.
Also note there is another unknown group name called “system-administrators.” The group does not appear anywhere else and users cannot be added to it in the group configuration. I would speculate that this is a special group only used for Atlassian to support the behind the scene system admin work necessary to the Cloud based environment.