Hi Sean,

To be honest, I don't know  

I assigned Browse users and groups GLOBAL permissions. Additionally, in the project permissions scheme, Browse issues, Assignable user and Assign issues permissions are restricted to few project roles. __ While granting the access to the project, we add a user in the People section and assign him one of the project role used in the permission scheme.  This allow us to browse only project users in the Assignee field. 

Just guessing, can it be somehow related to the settings of the Assignee field or Browse issues project permissions? 

Anyway, it was done just for tests. We need to have Browse users and groups GLOBAL permissions turn off for customers as this also allows to browse ALL users in User Workload Report + see all names in Collaborators on users profiles.

K.r.,

Anna

To Anna, how did you get mentions to be restricted to project access.  To the best of my knowledge, this is a global permission (Browse Users and Groups), and I cannot find a similar permission for projects.

Hi All,

I have the impression that mention in comment was somehow corrected - we can only see users assigned to the project + some "plugin" (not real) users like Jira Outlook, Jira Service Management Widget etc. Assignee field also works correctly, with opposition to Reporter field (but, this can be solved with removing Modify Reporter in project permissions scheme). 

The only issue we experience is with User Workload Report (all users can be browsed) and with user's profile (in the Collaborators, all Jira users are visible). 

K.r.,

Anna

Same as Johan below, we provide client access at the project level in work management (one client per project).  I only just now figured out that they had access to assign users from other clients (permission scheme updated), but unfortunately there is not a way to do the same for mentions.  I imagine the coding to do so would be significantly more difficult than restricting access to a particular field, but the criticality is the same.  

We're also working with customers who are competitors and it's very awkward that they can simply @ and scroll through to see which other customers we have. But not giving them browse users and groups doesn't really work either since it hampers communication in issues. It is to me baffling that this hasn't been solved in 9 years time.

This is a must-have, please address.

This feature is crucial.  Please add it. 

Yes, please add this feature.  Thanks!

Please add this feature ASAP. It would be extremely helpful.

This would be extremely beneficial for our company to utilize!  We struggle with the issue all the time.

We definetly need this feature!
Please take it into account.

this feature would be a game changer in how we manage projects in my organization, please consider implementing it

We manage different projects from COMPETING suppliers, now they can mention each other.... how convenient (sarcasm alert)

This would be great to have!

It would be really appreaciated.
 

I think it's a great idea!

We don't want it.... We need it

We need this feature too.

I think that is a very important feature!

It would be useful to have this implemented.

+1 waiting for this feature to be added!

this is a very important feature,
so can you add it?

thank you

Looking forward to see this completed. Will make a noticeable difference.

This is definitely needed as soon as possible.

I was confused when I discovered this was not a platform feature. However, I'm sure that it will become a feature in future.

We need this feature released asap, please consider to resolve it, thank you.

this is a very important feature, please add it, thank you!

@Atlassian ...

Hi Atlassian, could you be a doll and prioritize this?  Its impact is quite obvious and long-lasting, judging on previous comments alone if you don't want to think about it yourself.  

good idea!

Maybe all of those who are writing a comment here can motivate their companies users to vote for this issue. This is what i have done today.

Please, prioritize this issue, thank you!

I raised a support request with Atlassian and received a fairly standard response 

"

Good day, Jason.

Hope you are doing well.

Thanks for reaching out to us! My name is Utkarsh and I will be assisting you on this support case.

From the case description, I understand that you want to allow certain users to mention certain users. Please correct me if my understanding is wrong.

I certainly understand the difficulty and I sincerely apologize for the inconvenience that is being caused to you because of the feature.

You're right, the users who can mention other users are controlled by the Brouse user's and group's Global permission. Anyone with this permission can mention anyone else. There is no further control over this on the project level. 

We have this feature request (I guess this is the one you are talking about) that requests further control-

• ID-8129 - Ability to restrict what Projects, users or groups appear in @-mention results

I know there haven't been any updates on this one and I'm sorry for that but I'd like to share that there are a number of factors that determine how we prioritize the feature request and if a feature is implemented or not. Those can be found in our Implementation of New Features Policy. As per this page-

There are many factors that influence our product roadmaps and determine the features we implement. When making decisions about what to prioritize and work on, we combine your feedback and suggestions with insights from our support teams, product analytics, research findings, and more. This information, combined with our medium- and long-term product and platform vision, determines what we implement and its priority order.

I can certainly understand the pain and how frustrating it might be for you but there is very limited that we can do here. At the same time, I'd request you to Vote the issue as it's taken into consideration when we're prioritizing the bug.

I would appreciate your feedback on the feature, you can do this by leaving a comment on the ticket."

Such a joke, is this thread even being reviewed by Atlassian???

Please everyone - add a comment and upvote. Maybe by some miracle this will get Atlassian's attention. 

To sad that we probably will "celebrate" 10 years of "Gathering Information" in March 2024. Why should something change after 9 years... 

this is a feature that we are being asked frequently. please add it quickly. thank you

please add it, thanks

Hot take: This problem existing has saved us money (that Atlassian is missing out on) because instead of providing Jira accounts for our customers, we just use an issue collector and completely keep them out of our Jira projects.

It will be very helpful on my company. Waiting for the release.

Thank you

Hi everyone,

Everybody (apparently except Atlassian) knows that this feature is essential and critical, and is actually a bug that needed to be resolved years ago.

I also don't think anyone from Atlassian reads the comments. They probably have set a trigger for ticket to be "active", when more than x people (I assume 10000! by the look of it) vote the issue.

So if you really think this needs to be resolved fast (meaning in Atlassian terms: in the next 12 months), contact support directly, link the issue and ask them to contact the corresponding product developer. That might speed things up.

Just saying "we need this too" or "oh why is it still unresolved" wouldn't help at all.  

Cheers

Our customers need very urgently to solve this issue.

Please help us!!!

I have the same problem, please consider it ASAP. Thanks!

It's really unbelievable that this issue is not addressed, this seems to be a basic function of a software like Jira.

Next year, this issue will become 10 years old

It is a very important feature for us. Please add it asap  

How can Atlassian continue to disregard this feature after almost 10 years!!! Unbelievable. I once raved about how fantastic Atlassian is but it's things like this that have turned me off Jira and the company.

I suspect this thread is not even being read...

Clients are complaining about not having the possibility to use this useful feature. Please consider asap to add it

Thanks

@AdrianEggenberger

I currently provide Admin for a Cloud variant of Jira

I use permission groups for external users. These groups are excluded from the Global Permission Browse users and groups

@Jason Waller: Actually disabling the mention feature seems to be the only way beside of migrating to another tool right? How did you disable the mention feature? I know it's possible in the server variant by modifications, but is it also possible in the cloud?

This is a required feature to prevent companies falling foul of Privacy laws.  We have disabled the @ mention feature for all external users, This is probably in the top 3 support requests that come through to me as an Admin,  Customers asking why they can't use the mention feature.  

I think the number of critical bugs or absolutely important features (like this) that have been released in the past 5 years can be counted by one or two hands. But don't worry and be happy: there is emoji for comments. This wonderful and significant development shall be celebrated.

I can remember that I struggled over this topic years ago. Now thinking about switching to Jira/Confluence Cloud I found the issue again. To me it's absolutly unbelivable that limiting visibility of users over projects or spaces is still not possible. 

I've no clue how we should use Jira/Confluence with multiple customers without showing customers users from another project.

I feel I'm banging my head against a brick wall. - to be blunt I don't like that I can still see random people who are part of a team that I don't know, not considered part of my org - even though Atlassian have said they can't see my data and I think this feature could open a hole up in to JSM for somebody with some smarts to get further down this rabbit hole. IMO even this so called feature has many potential flaws.

I've advised to Atlassian in a bug ticket on this that I have used other applications where if a user doesn't have permission to access a module of that application, they can't even see that module. So they don't know it is there at all. So it is nothing to see here move along, nothing to see here move along, and they do.

How this is set up it gets users to start to question what is this and they start digging to find more info out. Just like I have done,

__________________________________________________________________________________________________________________________________________________________________________
On my Bug ticket
Atlassian have reduced the amount of teams I'm seeing who are able to be tagged, but I'm still seeing teams that I don't know the people in that team and some are no longer part of my global company, one team who is part of my global company from another country who I can see in a Team, I have managed to find one persons company email to communicate with via email.

From my Bug ticket - I emailed the person to ask - can you please remove that Team after the email was sent - who am I to ask a person to remove a team so I can't see them what if they are still using that team? They can't even edit a team to stop it being visible to others.

The persons reply was wow that was an old project we don't use that now and we never used JSM we were using Slack - I had to look on the net to see what Slack was, we don't use Slack or have an app called Slack in my JSM.

It appears that there is no tidy up features for when a User is removed from a JSM
The person asked me what I wanted them to do and if I wanted them to remove that team please send them a link to where it is and he will try. - I don't have a link know his system or have Slack.

Wait on I can't expect to a person to delete a Team because I have asked them to,

I feel this feature could open up an access point for somebody with some smarts to dig deeper and get further down this rabbit hole, by just seeing team names and people within that team.

I should only be able to create Teams from the users I have in my JSM and for me this is just 10 people. I believe our company has a lot more instances of Jira but are not and should not be linked to my Jira in any way.

I even found my ex manager who is no longer a user in my JSM as having an invite to a team still sitting there as an invite. IMO when a user is removed from my JSM instance they should be removed from all Teams with any notes there name should be still visible but shaded out. ( I beleive the name is shaded out when a user is removed.

Maybe I'm just getting old and grumpy or maybe I care and am looking forward and see potential concerns.

Relevant also for my company! Please, take care of this issue.

Is there an ETA for this?

why can't @'s work just for those who have access to the project - and no one else!!! Doesnt seem so unreasonable. 

I dont even understand why i would want to @ someone who does not have access to the project....

@Dave: this seems like a critical security breach.

The reporter is inactive on this ticket, and I fear no one at Atlassian will get any notification on these issues. Hopefully they will not find it the hard way. Another way is to contact support and ask them what's going on.

It took other similar very important and easy-to-implement issues 10 years and over 1000 votes to resolve. It might be the same with this one, and the ability to rename attachments.

I was totally alarmed to find out about this

When I typed @B in a Note  to select a persons name to tag them in a JSM ticket,

Alarmed that I started to see 100's of teams created by others from around the world that have people I don't know

Alarm bells started to ring because our projects have sensitive information as will other peoples projects.

Even though I've had this explained and been assured that this is a feature and is a functionality and that those in team also needs that team or person/s in that team to still have the correct permissions to see the Project / ticket even if tagged.
Our Customers can't see or know who are our other customers are.

Maybe any such feature should be automatically turned off, with the Companies Admin having to turn this feature on with warnings at project levels

I still have the question

Is this a security weakness that could make Jira vulnerable? I know I'd sooner only be able to tag teams of people with in my instance and only within that Project.

Anyway I can test that others can't see my Projects or tickets, I can't afford to tag a random from another company to see if there is a restriction.

Edit20230210:
I was informed by Atlassian teams are only visible to people with accounts in the same organization.
So the teams you are seeing are the teams that are created by members under the same organization that you are in..

I've asked what constitutes an Organization.

I believe this should be licenses keys for the product (Jira JSM in my case,)

I only ask because I know my company locally in country license with 10 users for JSM and Global has another license or possibly more. and I should not see who uses there Jira.

The reverse test I conducted

logged in as Admin in JSM I created a 'team called Test team, my admin was a member and my general day to day log in was added.

I attempted to add a user that was visible in the comments of a ticket when adding them to a comment @B......... or @C........which are allegedly created by "my organization"

Those such members of the team are not visible for me to add these to a team but they are visible in my comments with in a ticket as part of a team - if I wish to tag them.

I haven't bothered to tag any random team members, just incase they can see our data.

Atlassian does not seem to care about this issue.. very sad. Not sure how to get attention to this issue. More votes somehow?

I'm waiting for this to happen too.  Half of our users are our agency, the other half are split across scores of clients.   A client being able to @mention anyone in the directory just cannot happen - we can't have all clients seeing all other clients, but we want them to see all our staff.  Come on Atlassian

This is definitely needed as soon as possible.

waiting since 2014...

100% agree with Jan-Niklas, this is absolutely needed. It's crazy we cannot @ mention at the project level...

We have not given external customers the permission to use @mention, since they are then able to see any other customer in jira. This is a data security issue which hinders the use of an otherwise useful functionality. Please extend the functionality to allow mention control on a user group and/or project level.

I hope that this feature gets some traction. We have clients that have access to Jira so they can update us on bugs they find or request new features. They need to be able to @ mention other members of their team and us, but we do not want them to see the names of other clients and their staff as this is unprofessional and a security issue.

Really looking forward to this feature

This is helpful for a lot of our clients that want to use Cloud and have certain user groups, that should be able to address users of specific groups, and not be able to address/view users of other groups.

NielsJ, I am not entirely sure where I saw that last year.  It  isn't exactly the full control that people are asking for (sounds like what is being asked is similar to user filtering on custom user fields and the ability to set that to your desired custom level).

But if you test at-mentioning by just typing @ in Cloud on an issue right now, you will notice that it recommends the Assignee, the Reporter, anyone that took an action on the issue by commenting, creating, or updating and then if you explicitly type a name, it seems to only show users that are in an internal project role for that project (does not show users from other projects or service desk portal only customers that are not involved).  So it is better than before by hiding users that do not have permission to see the issue and has become a dynamic list of recommended users.

@greg.draper310998593

do you have more information about this resolved issue? What is the issue key?

FYI, luckily this was implemented and limits to only internal users that have access to the project that the issue is in not too long ago as a part of GDPR changes (very good and appropriate change).  I think you can resolve this Jira issue.

Specifically, this includes filtering for the mention feature and the people filter on the search page.

+1

Yes, it sure is very important and we need it

Yes, we certainly need this.

Or specifically to the PROJECT the user is on. They should not be able to see users from ALL projects (or on the Jira site). Eg in our case we must protect client confidentiality across projects.

What does it take or who do we need to speak to in order to make this happen ? Thanks

Would like to see this feature, too. We have different customers included in our projects, who shouldn't see each other. 

Need this too, especially to remove plugin system users from the mention list in comments or issue description

This issue is more than 3 years old?? Controlling what your customers can access is pretty fundamental to a case tracking tool. I'm surprised this haven't been solved already.

Please prioritise this issue. Unless this is fixed, the @mention feature is rather useless for anyone having more than one customer in their Jira.

That's would be great if we could add the restriction by projects or groups for @-mention function.

For the moment, there´s just the option to disable browsing for some users completely. This shouldn´t be the way to go, since mentions are really great to work with. Having it active is def. not an option at all regarding ISMS and infosec.

Yes please.  Project based

e.g. Service Desk clients (they are created as users in the system) should not be available for mention! (especially in other projects)

It is not only that our customers don't need to see accounts of other customers, but more that we don't want them to see accounts of other customers.

I agree with Andrew. This should be project based. Our customers don't need to see accounts of other customers.

Would be great for keeping groups of confidential clients on a system private and hidden from other groups. The alternative would be to simply limit the fields to those users which have at least some permissions within a project.

Yes. We have a number of projects, all with distinct audiences.

You wouldn't want us to install a new Jira instance for each project, would you, Atlassian?

I'd kill to see this too. In our case we have 1000s of "users" in the jira directory that aren't actually users, cannot login, aren't going to be @mentioned, etc. They exist solely as the reporting-user for issues. It would be very helpful to be able to limit the universe of @mention users to either a specific group, or at least to users that are allowed to login to the system.

It is really painful and error prone to find the right user when using mention in Confluence for large enterprise. Ability to restrict by a group or users that have access to the space, would help a great deal.

This my use case:
this article Mentions are Not Working in JIRA states that the Browse Users global property controls (among other things perhpas) whether users are @mention-able and whether (if using a Wiki renderer for the Comment and Description fields) when the user start typing a @ character, the user selection menu will pop up.
In the global permission settings, one can associate a group to the 'Browse Users' property (just as well as all other global properties).

Ultimately, one would think that users not member of the group (or any of the groups) associated to the 'Browse Users' global property, should not appear in the @mention user selection menu. That is, they should be not @mention-able in JIRA (they might in Confluence), these should be independently configurable.
In other words:

• if group GROUPA through GROUPZ are associated with the global permission 'Browse Users'
  • if USERX is member of any of GROUPA through GROUPZ, it is @mention-able
  • else USERX is not @mention-able

Let me know if you have any question.