The permission system within JIRA seems to be based upon the idea that a lot of users are part of multiple projects with the same permission types. This results in the fact that users are linked to permission schemes instead of projects. In our situation and i believe for a lot of other people, users are linked to one or a few projects and should not be able to see or enter other projects. This means that users and/or groups should be linked to a project first. Permission schemes should be generic and able to be linked to a project. The combination of the members of a project and the assigned generic permission schemes to the project and its members assures which permissions project members within that project have. This approach prevents the definition of a lot of the same type of permission schemes and lots of different usergroups (read projectteams).

In other words, in my opion you should create permissions schemes as 'project roles' so you only have to create a few permissions schemes, link them to a project and then assign users to the permission schemes (project roles) within that project. This will prevent those users to be able to enter other projects because they are not linked to that scheme systemwide but only within a project.

Looking forward to your reply and/or comments.

Regards, Paul