https://getsupport.atlassian.com/browse/PCS-320652

Is there any workaround for JSM projects? All our users are able to see portal-only users by starting an @-mention. This is not acceptable as this way, people can enumerate a lot of mail addresses they are not supposed to see.

+1 Additionally to G's Comment this issue was closed because there is a solution for Cloud but this is still a huge problem in DC.

Hi 23ef3e30d63c, the one big gap that still remains is that there is no control over portal-only customers and that is a big problem for JSM projects. As mentioned in my comment here, we cannot take away the Browse Project permission from the Service Project Customer - Portal Access or it breaks the project. These portal-only users never need to be at-mentioned at all since they cannot receive those notifications and so it is very misleading to users that are at-mentioning these people and they are never receiving the notification.

Request Participants and the Reporter also need different treatment/restrictions in JSM projects since they are really only meant to receive emails from public comments.

The below might be the solve:

• Portal-only customers should never be allowed to be at-mentioned
  • If the permission was separate from Browse Projects, we could make this happen... right now we are blocked (but they should be prohibited from at-mentions by default)
• Atlassian accounts can never be at-mentioned in public comments unless they are not listed in the Request Participants nor the Reporter user fields
  • I can see a use-case for at-mentioning someone not listed in those user fields on a public comment to loop them in for just that comment
    • should only allow the people that can browse, so that aligns with the new setup
  • I can also see a use-case where maybe in an internal comment you want to at-mention just a single Atlassian account that is one of the request participants (they might need to know something that the rest of the participants should not be notified about)
  • But if it is simpler, prohibiting users in these fields from being at-mentioned all together is better than today where they get duplicate emails on public comments

So seems like there is still work to be done here and this should be reopened. Thanks!

Hey 625e53328cfc thanks for your comment. I want to clarify one point:
 

We want people on a project to be able to see and reference other users on that project but not necessarily everyone on Jira or on other projects.

That's how the new functionality works. If a user does not have the Browse Projects permission in a specific project, they will not appear in @ mention the dropdown on issues within that project.

Thanks @23ef3e30d63c, no i don't think this helps. The problem is that for many Jira users, we don't want all of our project users seeing all of our projects. We want people on a project to be able to see and reference other users on that project but not necessarily everyone on Jira or on other projects.

Eg one project might be for CokeCola and the other project might be for Pepsi (just as examples).

The product has changed since this ticket was created. In order for a user to appear in the @ mention dropdown now they must have the Browse Projects project permission of a company-managed project. Does this satisfy the requirements of the watchers of this ticket? Thank you!

The watchers of this ticket may be interested in this post: Improvements to Browser User permissions (User Searchability by Project). Please add any questions or comments there.

Pretty sure Atlassian is not even paying attention to this... It's been years... I implore everyone to reach out to Atlassian directly and highlight the need to have this issue fixed.

This is a must for any company using Jira with clients that are active participants in projects. Kind of crazy that we are still waiting on this. 

Super valuable.  Would love to know the eta on this being available. 

such a valuable feature request, yet overlooked for so long !

This is a serious issue with our client confidentiality standards. We have no solution but to anonymize the client names in our IDP using random characters instead of real names. This will eventually compromise the collaboration experience but unfortunately because of these poor product designs , we are completely blocked . 

Hi Sean,

You're right, I meant or course Browse Projects permissions.  

I'm happy I could help  

K.r.,

Anna

HI Anna, thank you for the response.  Where do you see Browse issues?  Are you using Jira Cloud or Jira Server?  Which product(s) are you using?  For me, this issue persists in Work Management and Software, but I see you make reference to Service Management, maybe it has a different permission scheme there (if that's what you're using)?

Edit: I created a Service Project and it has the same permissions, maybe you mean Browse Projects?

Edit again: So the only difference between what you had and what I had (assuming you meant Browse Projects) was the Assign Issues permission.  I restricted that to the two groups that should have access (internal / client) and that worked!  Now @mentions will only select from those two groups.  That's silly those two permissions are tied together, but at least it works now!

Hi Sean,

To be honest, I don't know  

I assigned Browse users and groups GLOBAL permissions. Additionally, in the project permissions scheme, Browse issues, Assignable user and Assign issues permissions are restricted to few project roles. __ While granting the access to the project, we add a user in the People section and assign him one of the project role used in the permission scheme.  This allow us to browse only project users in the Assignee field. 

Just guessing, can it be somehow related to the settings of the Assignee field or Browse issues project permissions? 

Anyway, it was done just for tests. We need to have Browse users and groups GLOBAL permissions turn off for customers as this also allows to browse ALL users in User Workload Report + see all names in Collaborators on users profiles.

K.r.,

Anna

To Anna, how did you get mentions to be restricted to project access.  To the best of my knowledge, this is a global permission (Browse Users and Groups), and I cannot find a similar permission for projects.

Hi All,

I have the impression that mention in comment was somehow corrected - we can only see users assigned to the project + some "plugin" (not real) users like Jira Outlook, Jira Service Management Widget etc. Assignee field also works correctly, with opposition to Reporter field (but, this can be solved with removing Modify Reporter in project permissions scheme). 

The only issue we experience is with User Workload Report (all users can be browsed) and with user's profile (in the Collaborators, all Jira users are visible). 

K.r.,

Anna

Same as Johan below, we provide client access at the project level in work management (one client per project).  I only just now figured out that they had access to assign users from other clients (permission scheme updated), but unfortunately there is not a way to do the same for mentions.  I imagine the coding to do so would be significantly more difficult than restricting access to a particular field, but the criticality is the same.  

We're also working with customers who are competitors and it's very awkward that they can simply @ and scroll through to see which other customers we have. But not giving them browse users and groups doesn't really work either since it hampers communication in issues. It is to me baffling that this hasn't been solved in 9 years time.

This is a must-have, please address.

This feature is crucial.  Please add it. 

Yes, please add this feature.  Thanks!

Please add this feature ASAP. It would be extremely helpful.

This would be extremely beneficial for our company to utilize!  We struggle with the issue all the time.

We definetly need this feature!
Please take it into account.

this feature would be a game changer in how we manage projects in my organization, please consider implementing it

We manage different projects from COMPETING suppliers, now they can mention each other.... how convenient (sarcasm alert)

This would be great to have!

It would be really appreaciated.
 

I think it's a great idea!

We don't want it.... We need it

We need this feature too.

I think that is a very important feature!

It would be useful to have this implemented.

+1 waiting for this feature to be added!

this is a very important feature,
so can you add it?

thank you

Looking forward to see this completed. Will make a noticeable difference.

This is definitely needed as soon as possible.

I was confused when I discovered this was not a platform feature. However, I'm sure that it will become a feature in future.

We need this feature released asap, please consider to resolve it, thank you.

this is a very important feature, please add it, thank you!

@Atlassian ...

Hi Atlassian, could you be a doll and prioritize this?  Its impact is quite obvious and long-lasting, judging on previous comments alone if you don't want to think about it yourself.  

good idea!

Maybe all of those who are writing a comment here can motivate their companies users to vote for this issue. This is what i have done today.

Please, prioritize this issue, thank you!

I raised a support request with Atlassian and received a fairly standard response 

"

Good day, Jason.

Hope you are doing well.

Thanks for reaching out to us! My name is Utkarsh and I will be assisting you on this support case.

From the case description, I understand that you want to allow certain users to mention certain users. Please correct me if my understanding is wrong.

I certainly understand the difficulty and I sincerely apologize for the inconvenience that is being caused to you because of the feature.

You're right, the users who can mention other users are controlled by the Brouse user's and group's Global permission. Anyone with this permission can mention anyone else. There is no further control over this on the project level. 

We have this feature request (I guess this is the one you are talking about) that requests further control-

• ID-8129 - Ability to restrict what Projects, users or groups appear in @-mention results

I know there haven't been any updates on this one and I'm sorry for that but I'd like to share that there are a number of factors that determine how we prioritize the feature request and if a feature is implemented or not. Those can be found in our Implementation of New Features Policy. As per this page-

There are many factors that influence our product roadmaps and determine the features we implement. When making decisions about what to prioritize and work on, we combine your feedback and suggestions with insights from our support teams, product analytics, research findings, and more. This information, combined with our medium- and long-term product and platform vision, determines what we implement and its priority order.

I can certainly understand the pain and how frustrating it might be for you but there is very limited that we can do here. At the same time, I'd request you to Vote the issue as it's taken into consideration when we're prioritizing the bug.

I would appreciate your feedback on the feature, you can do this by leaving a comment on the ticket."

Such a joke, is this thread even being reviewed by Atlassian???

Please everyone - add a comment and upvote. Maybe by some miracle this will get Atlassian's attention. 

To sad that we probably will "celebrate" 10 years of "Gathering Information" in March 2024. Why should something change after 9 years... 

this is a feature that we are being asked frequently. please add it quickly. thank you

please add it, thanks

Hot take: This problem existing has saved us money (that Atlassian is missing out on) because instead of providing Jira accounts for our customers, we just use an issue collector and completely keep them out of our Jira projects.

It will be very helpful on my company. Waiting for the release.

Thank you