Issue Summary

When removing the user's product access, the project roles settings are still maintained and the user can be mentioned and set as an assignee or reporter.

Although the user will not be able to directly access the Jira project, if not public, they may still receive undesired or confidential notifications.

Steps to Reproduce

1. On Atlassian Admin, create or update a new user to have no group membership or product access.
2. On Jira site, go to a Company-managed project and add the user to a given project role (for example, Administrator) on Project Settings > People.
3. On the Jira site, make sure that the permission scheme associated with this project has the project role in question associated with permissions related to the desired action (for example: Browse Settings and Assignable Users for the Assignee Field).
4. Verify that the desired action can be completed regardless of site access.

Expected Results

• Once user loses their product access, they should not be able to be set as an assignee or be mentioned on issues.
  • Behavior should be similar to when the user is suspended: the permissions previously granted to them still exist, but other users are unable to see them as assignees or mention options.

Actual Results

• The users can be mentioned and set as an assignee or reporters, regardless of not having product access.

Workaround

• Org admins need to manually verify all project roles associated with the user they are removing the Jira product access, and notify the project admins so they can take action.
  • The workaround may be time-consuming and difficult to coordinate, depending on how many projects and users are being reviewed.