When and how should one use project roles instead of groups within JIRA?

Question

I am having a little difficulty understanding when a person should configure JIRA permissions using groups and when they should use project roles. I have read the online documentation, however, the difference between the two seems subtle.

A group seems simple enough. Group users into a named bucket. Assign the group to one or more permissions within a permission scheme to enable access to functionality for any users within the group. Assign the permission scheme to a project to apply the permissions to that project.

A project role seems very similar. It does all of the above except that you can also add groups to project roles. It seems that a project role also allows a project administrator to add their own users to a project instead of requiring a system administrator.

However, I am not sure how I can leverage this. Here is an example of what I want to achieve.

1. Have multiple projects created in JIRA.
2. All of our managers, developers, etc. have the same permissions across all projects.
3. Our clients have access only to their projects.

I think that the best way to accomplish this is to:

1. Create an employees group to which I add all of our employees.
2. Create one or more project roles to which I add the appropriate clients.
3. Assign permissions to the Default Permissions Scheme using the employees group.
4. Copy the Default Permission Scheme to a new project specific scheme, e.g., client-scheme
5. Assign the client-scheme to the client specific project.

However, it seems that I am not leveraging project role membership. How does this come into play?

What is the best practice for using JIRA groups and project roles? What is the different between the two?

Answer 1

We are advising to work with roles as it has a couple of advantages

a. You can setup the complete configuration based on roles.

For instance you might have a workflow transition 'validated' which can only be executed by someone who is a tester.

You have the choice to add a transition condition 'user is in group tester' or 'user has the role tester'.

If you are working in an organisation where users have different roles in different projects, choosing the first transition condition (user is in group tester) will not work (or you would need a new workflow for each project)

The same applies for notifications.
You can configure a notification on the 'issue resolved' event, specifying that the 'users in group tester' get notified or 'users who have the role tester'.

When using roles, adding someone to a project is very simple - just check what role the person has in the project, add them in the project configuration (view members) and you are done. He will have the right permissions, get the right notifications ...

b. Configuration

When you use roles for configuration, you don't need system administration rights to add someone to a project. The project lead will be able to add the user. No need to bother the system admin.

---

Looking at your description, I would have

1. A project role 'employee'
2. A project role 'customer'
3. A group 'employees'
4. configure the project role such that the group employees is a default member of the project role employee

This way you can use the same permission scheme for all projects. When adding a new project, you just need to add the client specific userid to the client role. When a new employee start, you add him to the employees group.

The day that you have a specific, ultra secret project, where only a couple of employees need to have access, you can remove the group 'employees' from the role 'employee' and add the specific users to the role.

Hope this helps

Francis

Answer 2

Historically, JIRA had groups first. Then roles came along and are the recommended way to control authorization in most cases.

~Matt