https://getsupport.atlassian.com/browse/PCS-320652

Is there any workaround for JSM projects? All our users are able to see portal-only users by starting an @-mention. This is not acceptable as this way, people can enumerate a lot of mail addresses they are not supposed to see.

+1 Additionally to G's Comment this issue was closed because there is a solution for Cloud but this is still a huge problem in DC.

Hi 23ef3e30d63c, the one big gap that still remains is that there is no control over portal-only customers and that is a big problem for JSM projects. As mentioned in my comment here, we cannot take away the Browse Project permission from the Service Project Customer - Portal Access or it breaks the project. These portal-only users never need to be at-mentioned at all since they cannot receive those notifications and so it is very misleading to users that are at-mentioning these people and they are never receiving the notification.

Request Participants and the Reporter also need different treatment/restrictions in JSM projects since they are really only meant to receive emails from public comments.

The below might be the solve:

• Portal-only customers should never be allowed to be at-mentioned
  • If the permission was separate from Browse Projects, we could make this happen... right now we are blocked (but they should be prohibited from at-mentions by default)
• Atlassian accounts can never be at-mentioned in public comments unless they are not listed in the Request Participants nor the Reporter user fields
  • I can see a use-case for at-mentioning someone not listed in those user fields on a public comment to loop them in for just that comment
    • should only allow the people that can browse, so that aligns with the new setup
  • I can also see a use-case where maybe in an internal comment you want to at-mention just a single Atlassian account that is one of the request participants (they might need to know something that the rest of the participants should not be notified about)
  • But if it is simpler, prohibiting users in these fields from being at-mentioned all together is better than today where they get duplicate emails on public comments

So seems like there is still work to be done here and this should be reopened. Thanks!

Hey 625e53328cfc thanks for your comment. I want to clarify one point:
 

We want people on a project to be able to see and reference other users on that project but not necessarily everyone on Jira or on other projects.

That's how the new functionality works. If a user does not have the Browse Projects permission in a specific project, they will not appear in @ mention the dropdown on issues within that project.

Thanks @23ef3e30d63c, no i don't think this helps. The problem is that for many Jira users, we don't want all of our project users seeing all of our projects. We want people on a project to be able to see and reference other users on that project but not necessarily everyone on Jira or on other projects.

Eg one project might be for CokeCola and the other project might be for Pepsi (just as examples).

The product has changed since this ticket was created. In order for a user to appear in the @ mention dropdown now they must have the Browse Projects project permission of a company-managed project. Does this satisfy the requirements of the watchers of this ticket? Thank you!

The watchers of this ticket may be interested in this post: Improvements to Browser User permissions (User Searchability by Project). Please add any questions or comments there.

Pretty sure Atlassian is not even paying attention to this... It's been years... I implore everyone to reach out to Atlassian directly and highlight the need to have this issue fixed.

This is a must for any company using Jira with clients that are active participants in projects. Kind of crazy that we are still waiting on this. 

Super valuable.  Would love to know the eta on this being available. 

such a valuable feature request, yet overlooked for so long !

This is a serious issue with our client confidentiality standards. We have no solution but to anonymize the client names in our IDP using random characters instead of real names. This will eventually compromise the collaboration experience but unfortunately because of these poor product designs , we are completely blocked . 

Hi Sean,

You're right, I meant or course Browse Projects permissions.  

I'm happy I could help  

K.r.,

Anna

HI Anna, thank you for the response.  Where do you see Browse issues?  Are you using Jira Cloud or Jira Server?  Which product(s) are you using?  For me, this issue persists in Work Management and Software, but I see you make reference to Service Management, maybe it has a different permission scheme there (if that's what you're using)?

Edit: I created a Service Project and it has the same permissions, maybe you mean Browse Projects?

Edit again: So the only difference between what you had and what I had (assuming you meant Browse Projects) was the Assign Issues permission.  I restricted that to the two groups that should have access (internal / client) and that worked!  Now @mentions will only select from those two groups.  That's silly those two permissions are tied together, but at least it works now!

Hi Sean,

To be honest, I don't know  

I assigned Browse users and groups GLOBAL permissions. Additionally, in the project permissions scheme, Browse issues, Assignable user and Assign issues permissions are restricted to few project roles. __ While granting the access to the project, we add a user in the People section and assign him one of the project role used in the permission scheme.  This allow us to browse only project users in the Assignee field. 

Just guessing, can it be somehow related to the settings of the Assignee field or Browse issues project permissions? 

Anyway, it was done just for tests. We need to have Browse users and groups GLOBAL permissions turn off for customers as this also allows to browse ALL users in User Workload Report + see all names in Collaborators on users profiles.

K.r.,

Anna

To Anna, how did you get mentions to be restricted to project access.  To the best of my knowledge, this is a global permission (Browse Users and Groups), and I cannot find a similar permission for projects.

Hi All,

I have the impression that mention in comment was somehow corrected - we can only see users assigned to the project + some "plugin" (not real) users like Jira Outlook, Jira Service Management Widget etc. Assignee field also works correctly, with opposition to Reporter field (but, this can be solved with removing Modify Reporter in project permissions scheme). 

The only issue we experience is with User Workload Report (all users can be browsed) and with user's profile (in the Collaborators, all Jira users are visible). 

K.r.,

Anna

Same as Johan below, we provide client access at the project level in work management (one client per project).  I only just now figured out that they had access to assign users from other clients (permission scheme updated), but unfortunately there is not a way to do the same for mentions.  I imagine the coding to do so would be significantly more difficult than restricting access to a particular field, but the criticality is the same.  

We're also working with customers who are competitors and it's very awkward that they can simply @ and scroll through to see which other customers we have. But not giving them browse users and groups doesn't really work either since it hampers communication in issues. It is to me baffling that this hasn't been solved in 9 years time.

This is a must-have, please address.

This feature is crucial.  Please add it. 

Yes, please add this feature.  Thanks!

This would be extremely beneficial for our company to utilize!  We struggle with the issue all the time.

We definetly need this feature!
Please take it into account.

this feature would be a game changer in how we manage projects in my organization, please consider implementing it

We manage different projects from COMPETING suppliers, now they can mention each other.... how convenient (sarcasm alert)

This would be great to have!

It would be really appreaciated.
 

I think it's a great idea!

We don't want it.... We need it

We need this feature too.

I think that is a very important feature!

It would be useful to have this implemented.

+1 waiting for this feature to be added!

this is a very important feature,
so can you add it?

thank you

Looking forward to see this completed. Will make a noticeable difference.

This is definitely needed as soon as possible.

I was confused when I discovered this was not a platform feature. However, I'm sure that it will become a feature in future.

We need this feature released asap, please consider to resolve it, thank you.

this is a very important feature, please add it, thank you!

@Atlassian ...

Hi Atlassian, could you be a doll and prioritize this?  Its impact is quite obvious and long-lasting, judging on previous comments alone if you don't want to think about it yourself.  

good idea!

Maybe all of those who are writing a comment here can motivate their companies users to vote for this issue. This is what i have done today.

Please, prioritize this issue, thank you!

I raised a support request with Atlassian and received a fairly standard response 

"

Good day, Jason.

Hope you are doing well.

Thanks for reaching out to us! My name is Utkarsh and I will be assisting you on this support case.

From the case description, I understand that you want to allow certain users to mention certain users. Please correct me if my understanding is wrong.

I certainly understand the difficulty and I sincerely apologize for the inconvenience that is being caused to you because of the feature.

You're right, the users who can mention other users are controlled by the Brouse user's and group's Global permission. Anyone with this permission can mention anyone else. There is no further control over this on the project level. 

We have this feature request (I guess this is the one you are talking about) that requests further control-

• ID-8129 - Ability to restrict what Projects, users or groups appear in @-mention results

I know there haven't been any updates on this one and I'm sorry for that but I'd like to share that there are a number of factors that determine how we prioritize the feature request and if a feature is implemented or not. Those can be found in our Implementation of New Features Policy. As per this page-

There are many factors that influence our product roadmaps and determine the features we implement. When making decisions about what to prioritize and work on, we combine your feedback and suggestions with insights from our support teams, product analytics, research findings, and more. This information, combined with our medium- and long-term product and platform vision, determines what we implement and its priority order.

I can certainly understand the pain and how frustrating it might be for you but there is very limited that we can do here. At the same time, I'd request you to Vote the issue as it's taken into consideration when we're prioritizing the bug.

I would appreciate your feedback on the feature, you can do this by leaving a comment on the ticket."

Such a joke, is this thread even being reviewed by Atlassian???

Please everyone - add a comment and upvote. Maybe by some miracle this will get Atlassian's attention. 

To sad that we probably will "celebrate" 10 years of "Gathering Information" in March 2024. Why should something change after 9 years... 

this is a feature that we are being asked frequently. please add it quickly. thank you

please add it, thanks

Hot take: This problem existing has saved us money (that Atlassian is missing out on) because instead of providing Jira accounts for our customers, we just use an issue collector and completely keep them out of our Jira projects.

It will be very helpful on my company. Waiting for the release.

Thank you

Hi everyone,

Everybody (apparently except Atlassian) knows that this feature is essential and critical, and is actually a bug that needed to be resolved years ago.

I also don't think anyone from Atlassian reads the comments. They probably have set a trigger for ticket to be "active", when more than x people (I assume 10000! by the look of it) vote the issue.

So if you really think this needs to be resolved fast (meaning in Atlassian terms: in the next 12 months), contact support directly, link the issue and ask them to contact the corresponding product developer. That might speed things up.

Just saying "we need this too" or "oh why is it still unresolved" wouldn't help at all.  

Cheers

Our customers need very urgently to solve this issue.

Please help us!!!

I have the same problem, please consider it ASAP. Thanks!

It's really unbelievable that this issue is not addressed, this seems to be a basic function of a software like Jira.

Next year, this issue will become 10 years old

It is a very important feature for us. Please add it asap  

How can Atlassian continue to disregard this feature after almost 10 years!!! Unbelievable. I once raved about how fantastic Atlassian is but it's things like this that have turned me off Jira and the company.

I suspect this thread is not even being read...

Clients are complaining about not having the possibility to use this useful feature. Please consider asap to add it

Thanks

@AdrianEggenberger

I currently provide Admin for a Cloud variant of Jira

I use permission groups for external users. These groups are excluded from the Global Permission Browse users and groups

@Jason Waller: Actually disabling the mention feature seems to be the only way beside of migrating to another tool right? How did you disable the mention feature? I know it's possible in the server variant by modifications, but is it also possible in the cloud?

This is a required feature to prevent companies falling foul of Privacy laws.  We have disabled the @ mention feature for all external users, This is probably in the top 3 support requests that come through to me as an Admin,  Customers asking why they can't use the mention feature.  

yes, please add it.

I think the number of critical bugs or absolutely important features (like this) that have been released in the past 5 years can be counted by one or two hands. But don't worry and be happy: there is emoji for comments. This wonderful and significant development shall be celebrated.

I can remember that I struggled over this topic years ago. Now thinking about switching to Jira/Confluence Cloud I found the issue again. To me it's absolutly unbelivable that limiting visibility of users over projects or spaces is still not possible. 

I've no clue how we should use Jira/Confluence with multiple customers without showing customers users from another project.

I feel I'm banging my head against a brick wall. - to be blunt I don't like that I can still see random people who are part of a team that I don't know, not considered part of my org - even though Atlassian have said they can't see my data and I think this feature could open a hole up in to JSM for somebody with some smarts to get further down this rabbit hole. IMO even this so called feature has many potential flaws.

I've advised to Atlassian in a bug ticket on this that I have used other applications where if a user doesn't have permission to access a module of that application, they can't even see that module. So they don't know it is there at all. So it is nothing to see here move along, nothing to see here move along, and they do.

How this is set up it gets users to start to question what is this and they start digging to find more info out. Just like I have done,

__________________________________________________________________________________________________________________________________________________________________________
On my Bug ticket
Atlassian have reduced the amount of teams I'm seeing who are able to be tagged, but I'm still seeing teams that I don't know the people in that team and some are no longer part of my global company, one team who is part of my global company from another country who I can see in a Team, I have managed to find one persons company email to communicate with via email.

From my Bug ticket - I emailed the person to ask - can you please remove that Team after the email was sent - who am I to ask a person to remove a team so I can't see them what if they are still using that team? They can't even edit a team to stop it being visible to others.

The persons reply was wow that was an old project we don't use that now and we never used JSM we were using Slack - I had to look on the net to see what Slack was, we don't use Slack or have an app called Slack in my JSM.

It appears that there is no tidy up features for when a User is removed from a JSM
The person asked me what I wanted them to do and if I wanted them to remove that team please send them a link to where it is and he will try. - I don't have a link know his system or have Slack.

Wait on I can't expect to a person to delete a Team because I have asked them to,

I feel this feature could open up an access point for somebody with some smarts to dig deeper and get further down this rabbit hole, by just seeing team names and people within that team.

I should only be able to create Teams from the users I have in my JSM and for me this is just 10 people. I believe our company has a lot more instances of Jira but are not and should not be linked to my Jira in any way.

I even found my ex manager who is no longer a user in my JSM as having an invite to a team still sitting there as an invite. IMO when a user is removed from my JSM instance they should be removed from all Teams with any notes there name should be still visible but shaded out. ( I beleive the name is shaded out when a user is removed.

Maybe I'm just getting old and grumpy or maybe I care and am looking forward and see potential concerns.

Relevant also for my company! Please, take care of this issue.

Is there an ETA for this?

why can't @'s work just for those who have access to the project - and no one else!!! Doesnt seem so unreasonable. 

I dont even understand why i would want to @ someone who does not have access to the project....

@Dave: this seems like a critical security breach.

The reporter is inactive on this ticket, and I fear no one at Atlassian will get any notification on these issues. Hopefully they will not find it the hard way. Another way is to contact support and ask them what's going on.

It took other similar very important and easy-to-implement issues 10 years and over 1000 votes to resolve. It might be the same with this one, and the ability to rename attachments.

I was totally alarmed to find out about this

When I typed @B in a Note  to select a persons name to tag them in a JSM ticket,

Alarmed that I started to see 100's of teams created by others from around the world that have people I don't know

Alarm bells started to ring because our projects have sensitive information as will other peoples projects.

Even though I've had this explained and been assured that this is a feature and is a functionality and that those in team also needs that team or person/s in that team to still have the correct permissions to see the Project / ticket even if tagged.
Our Customers can't see or know who are our other customers are.

Maybe any such feature should be automatically turned off, with the Companies Admin having to turn this feature on with warnings at project levels

I still have the question

Is this a security weakness that could make Jira vulnerable? I know I'd sooner only be able to tag teams of people with in my instance and only within that Project.

Anyway I can test that others can't see my Projects or tickets, I can't afford to tag a random from another company to see if there is a restriction.

Edit20230210:
I was informed by Atlassian teams are only visible to people with accounts in the same organization.
So the teams you are seeing are the teams that are created by members under the same organization that you are in..

I've asked what constitutes an Organization.

I believe this should be licenses keys for the product (Jira JSM in my case,)

I only ask because I know my company locally in country license with 10 users for JSM and Global has another license or possibly more. and I should not see who uses there Jira.

The reverse test I conducted

logged in as Admin in JSM I created a 'team called Test team, my admin was a member and my general day to day log in was added.

I attempted to add a user that was visible in the comments of a ticket when adding them to a comment @B......... or @C........which are allegedly created by "my organization"

Those such members of the team are not visible for me to add these to a team but they are visible in my comments with in a ticket as part of a team - if I wish to tag them.

I haven't bothered to tag any random team members, just incase they can see our data.