The watchers of this ticket may be interested in this post: Improvements to Browser User permissions (User Searchability by Project). Please add any questions or comments there.

So, we're using Jira Cloud and I have no problem getting the issue mentioned here to work. I do the following:

• Create project
• Create group with external clients
• Give group access rights to tag/mention other users
• Give group access only to aforementioned project

Now, when I, as an admin, log into one of those users' account, go to the project, and, say, add a comment, I can only browse the users who have access to that project, now other users.

This seems to be so simple and such a fundamental function to make Jira Cloud more useable.  Note that a Jira site of over a 1000 users, this becomes an extremely unmanageable list.

We have moved long time, supportive Jira Server Projects to Jira Cloud and this is a primary complaint and concern.

1. Makes the user picker more onerous on the user
2. Potentially allows for users to scan the user base.

This needs to be prioritized and executed on. 

How many votes are needed until Atlassian finally reconsiders a decision to not implement a feature that tons of users are still asking for?

Wow, 16 years gathering interest. Make my Jira queues look highly effective.

We are trying to migrate to Jira Cloud. In several of our Jira Server projects we have custom user picker fields that are limited to certain defined users in a group, ie Project Developer Resources and Project QA Resources.

In re-implementing the custom field as a user picker in Jira Cloud the limit appears to be only a filtering suggestion in Jira Cloud ->Enabling user filtering will allow you to minimize the number of usernames that return from the typeahead control. It is not a hard limit and allows non group members to be selected. This is not acceptable. This needs to limit selection to ONLY members of the filter group. 

Is there any progress toward provided a forced limit on a user picker? The ability to make an incorrect selection will not go over well with Project Managers. 

Any updates on this? 

So many years and no solution in sight. The typical Atlassian world. 

We use Jira to manage projects with several clients. It's important that clients are able to @ mention individuals, including their own company colleagues, particularly for large projects.

I've been advised that this isn't possible to do without breaching their confidentiality, which means our clients can't use this important function and affects the interactivity of JIRA.

There is another. troubling aspect of this.

While logged in as a user confined to Project_A, on issues search screen, it is possible to type in "reporter in()". This does not autocomplete the users. If you type in a wrong username in the parentheses, it will throw back an error message at you. But if you type in a good username to a user's whose projects and issues you should have no access to, it will just say "no issues found". Since business environments usually have some code for logins (usually "name.surname"), it is trivial to find out if the Jira admin is running a project for, say, company's competition. Or anyone else the attacker find at linkedin or a similar website.