Changing the default user groups when creating a project - jira

When a project is created in Jira, the jira-users group is added by default, which gives all users access to the project (which we don't want). I know that this can be changed manually after the project is created, but is it possible to configure Jira so that another group is used by default?

I believe to do this you go to the Administration Screen -> Project Role Browser and remove jira-users from the Default Members for the Users Role.

Related

In TFS Online, How do I share a code branch with our customer

We have an enterprise customer that we have delivered a system for. It is part of the agreement for us to supply them with the source code of the latest release. We are using TFVC on TFS online, and we thought it would be easiest to give them access to our Main branch. But I have difficulties with only allowing them to access the code and nothing else. The user I am testing with, can see too much: I.e. things like dashboard, current team members etc.
Is it possible for me to only expose code from the Main branch and nothing else to an external user?
Giving access to TFS Main Branch out of Organization (AD) is not advisable considering security.. Instead consider giving source code into zip format there are lot of large file sending (FTP sites) are available..
Still for your request of restricting access to user have a look over this
https://www.visualstudio.com/en-us/docs/setup-admin/restrict-access-tfs
you can consider replicating your part of source code into separate stream and give reader read only access to that stream.
Hope this helps... :)
Refer to these steps to set the permission:
Add user to your VSTS (Basic)
Remove this user from all group if you added
Go to admin page of a team project Version Control (Setting > Version Control)
Select a folder/branch
Click Add > Add User to add that user
Select the user that you added
Set Read permission to Allow
Go to Security page (click Security)
Click Create group to create a new group
Set View project-level information to Allow and deny other permissions for this group
Click Members of that new group
Click Add to add that user to this group
After that, this user can access the code (Just the folder/branch the user has the read permission) on web access (Code > Files).

Assigned To field not showing user with the same name as a deleted user

We had a person leave our company and their windows domain account for Active Directory was deleted. They have since come back but have been given a different windows domain account user name. Now when we attempt to assign them tasks it's always associated with the old account. I assume this is because the name is still the same and TFS is doing some kind of duplication check. I've tried removing cache and have verified that the Team Foundation Server Periodic Identity Synchronization job is running properly. I can also see the old active directory account show up when attempting to Add a windows user or group via the dialog along with the new Active Directory user.
What's strange is this user is not showing up as a member of any groups in TFS for any of the Team Project Collections. So why are they still showing up in the [Team Project Collection]\Project Collection Valid Users group?
Seems the main issue is deleted users still in "Assigned To" List. First try to throw down the issue.
If you are using VALIDUSER rule, it contains all valid users in TFS. You may check collection level Project Collection Valid Users group, you may need to check every group to delete the user. And use TFSSecurity /imx command to display information about that group, thn delete the user from right group.
After delete the old user, you need to try to let TFS sync with Active Directory, for detail steps, you can refer to:
Force TFS to sync with Active Directory
Active Directory Groups not Syncing with Team Foundation Server 2010

How to restrict in Jenkins users from viewing users information like: id, name etc

I have configured Jenkins on centos 7.
Being administrator, I have created few users and gave them permissions to their projects like: build, read etc.
I have used a Project-based Matrix Authorization Strategy. Its working but I'm facing the following problem:
If any user clicks on people information (button on left is dashboard) then any user can view all the other users ids, name etc. I want to block this from happening and I can't find a solution to this problem.
Can it be a configuration problem?
Here is one solution using the Role Strategy plugin.
I'm using this plugin for our Jenkins server and it's really useful to define permissions.
On my staging Jenkins, I've create 2 users:
A full admin
A viewer
I've created 2 roles with the plugin:
Next, I assign the roles to the relevant users:
The viewer role only have a global read access + build on the jobs.
If I open a session with the admin one, I can see all the people:
With the viewer user, I don't see anything:
UPDATE:
If you want to assign some permissions on a specific project, you can create project roles (in the Manage Roles section):
You can filter the projects with a regular expression:
job(.*)postcommit
Next, in the Assign Roles section, you just have to assign the relevant project role to the relevant user.
I hope it helps :)

TFS - Specialized Group has no access to Work Items

I created a tfs group that would work on a specific project located in a collection. Now we're using work items to track bugs etc, but that group doesn't have access to those work items via the Team Web Access portal. I don't want this group to have access to all the projects in the collection, just the one they are working on. But i need them to be able to access work items that come up.
Currently when they access the Team Web Access portal, they get message indicating there are no accessible team projects in this team project collection.
if they can access their code in the collection already, how come they can't see the work items, and how can i change that, but still limit what they see?
Ok, found what i was looking for after some time. for the benefit of the community here is where that hidden security setting is done.
For the new group, i needed to go under Team/Team Project Settings/Area and Iterations!!!!
Yes, this silly place to but a SECURITY button. If you go in there, click the security button on the bottom of the dialog, you will then see ALL the WORK ITEM related permissions.
EDIT work items in this node;
Manage Test plans;
View this node;
View work items in this node.
I needed to check all of these to ALLOW.
Again, seems like a stupid place to put these settings, than with all the other security settings via TEAM Project Settings. I hope they had a good reason for that.
They will need the View collection-level details permission added to their group (at the collection level). By default, the Project Collection Valid Users group has these permissions, so you can just add your group as a member of the valid users group.

Restrict certain JIRA developers to a single project in JIRA 4.4

We have some trainees and we would like to give them some introductory tasks in JIRA.
We are using JIRA version 4.4.
What is the least intrusive way (avoiding creating global groups or permissions, if possible) in JIRA to achieve the following:
restrict the trainee user account so he can browse only a certain single project and no other projects are visible to him in menu, dashboards etc.
give this user the same permissions as default jira-developer has, but only for his associated project
?
Those trainees might leave after a month or two, so we would like to be able to delete their accounts later as easy as possible (without any linking issues, like "You cannot delete this because it is associated with that"...).
I tried to add one of the trainee accounts to a project using People tab. I added this user to Developers and Users sections, but still this user has a message:
"You do not have a permission to log in."
when trying to log-in.
If I add this user to jira-users group, he can log-in, but he is able to see all the projects.
The problem I found with JIRA permissions is that core administration elements are strewn all over the place. Its frustrating to find options which other guides allude to.
So, here is a guide detailing where to find each section required for security permission setup:
1) Create a new group (restricted to project xyz group).
Click User management in top right (click the cog icon) > login as Administrator > click Groups (left menu)
Add group, self explanatory > Name = restricted to xyz group (or whatever you like)
2) Create a new permission scheme (Restricted to Project XYZ permission scheme)
From Administration area > Click Issues > Permission Schemes
Copy the default scheme as the guide says, > Click "copy" next to "Default Permission Scheme".
Now this part takes some time. I deleted every single permission, then clicked "add" next to the below items.
add > Click "Group" Radio Button > select your group "restricted to project xyz group" etc
Hint: I middle mouse clicked each item open all at once, first to delete, then to add. Makes it less tedious.
Here are the items I Assigned to my group:
Project Permissions > Browse Project
Everything under "Issue permissions" section
Comments Permissions > Add Comments
Comments Permissions > Delete Own Comments
Comments Permissions > Edit Own Comments
if using time tracking:
--> Time Tracking permissions > Delete Own Worklogs
--> Time Tracking permissions > Edit Own Worklogs
--> Time Tracking permissions > Work On Issues
I'm not sure if these are "correct" but it works for me.
3) Link the permission scheme with project XYZ
Click Projects > Select your Project (project XYZ) > Click "Administration" at top of screen (Next to overview) > Click Permissions (left menu) > Click Actions > Select Use a Different Scheme
Why, do I have to go into the project to do this? It should be available via the Administration area under project. This took me 5+ minutes to find just now even though I've done it before.
4) Grant the Global Permission "JIRA users" to the group "restricted to project xyz group" so they will be able to log in.
Go back to Administration area > Click Cog top right > Click System > Click Global Permissions (left menu)
Add Permission > Select Permission = JIRA Users, select Group = restricted to project xyz group (etc)
After this you should see your group appear next to "JIRA Users" just click View users, then invite/add the users as appropriate with your group selected.
That's all for now, I hope it includes everything, its all I could remember. Hopefully it saves someone else from the suffering i went through ;)
It depends which groups have the Developer and User project roles. By default these are jira-developers and jira-users. I would create a new project TRAINING and grant the Developers and Users roles to the trainee user ids explicitly. Now they can play in that project.
The harder parts are to restrict them from the other projects yet still allow them to log in. If the default groups are in use then do not add them to jira-users or jira-developers. You will have to define a jira-trainees group and add to the Global Permissions to allow them to log in.
Come to think of it, if you've ended up defining a jira-trainees group then you might as well use it in the project roles instead of their individual user ids. Once this is all set up you only have to add a user to jira-traininees, make sure they're not in jira-developers and jir-users and you're ready to go.
I wrote a tutorial on how to do this as it's so difficult to do especially for casual users.
Unfortunately you have to create a group and permissions scheme (and learn how to unhook the users group from the default permissions scheme, but I've laid it out really easily here so you'll not find an easier guide:
http://testigniter.blogspot.co.uk/2013/03/setting-up-jira-for-single-project-user.html
mdoar's answer has the guts, but here's a more step by step answer, specifically for the "You do not have a permission to log in." part.
Let's say you are logged in to Administration and there is a group 'My group for project X' and some users are assigned to this group.
1. Go to Users -> Global Permissions
2. Have a quick read about "JIRA Users"
3. In the "Add Permission" section choose "JIRA Users" as "Permission" and your group as "Group" and hit add.
4. All users from 'My group for project X' should now be able to log in.
For other access problems you may find "Premission Helper" useful (just look for it in the Administration Quick Search in the top right corner).
I did the following:
Created separate group for users allowed to see the project (Site Administration -> User management -> Groups
In Jira Admninstration -> Global Permissions added this group to "Jira users"
In the project's administration -> Roles added this group to "Users" project role
Created an user in this group and removed it from "jira-users" group. Without adding global permissions this would remove this user from accessing Jira at all
Worked like a charm (I hope), no annoying permissions scheme creation was needed

Resources