Trace access in Jira Cloud by starting with the user and target project, then checking app access, global permissions, the active permission scheme, Browse Projects, role membership, group membership, and work item security if the symptom is item-level.
Use this guide to decide the next review route.
Why this matters
Access tracing is where permission cleanup becomes defensible. Without a complete path, admins risk removing the wrong membership, missing a second grant, or failing to explain the decision later.
For this question, the useful answer should help an admin decide what to check now, which rows to hold out, and which proof should survive after the change. That is why this page stays inside a narrow operational boundary instead of becoming a general governance essay.
Review the group cleanup risk before the Jira change
If this group may be deleted, renamed, replaced, or used in shared permissions, review Group Cleanup Radar first. The useful buying question is whether another reviewer needs exact usage and evidence before the admin changes anything.
Working scenario
A security owner asks why a vendor can see a project. The admin needs a step-by-step trace that shows the vendor has app access, belongs to an external group, the group is in a project role, and the role has Browse Projects in a shared scheme.
Define the exact question
Write down the user, project, work item if relevant, permission being tested, and observed symptom. A vague question like 'why do they have access' is too broad to trace reliably.
Check app access first
If the user cannot enter Jira, project permissions may not matter. If they can enter Jira, continue into project-level permissions.
Follow the project permission path
Find the active permission scheme, then inspect Browse Projects and any specific permission being investigated. Expand each grant holder instead of stopping at the visible name.
Expand groups and roles
Resolve role membership for the project and group membership for each group. Note default groups, externally managed groups, service accounts, and app/system roles separately.
Use helper tools carefully
Permission helper is useful for a work item and permission check, but it should be paired with a broader access-path record when the decision involves group cleanup or project visibility.
Save the trace
Keep the final trace as evidence: user, project, scheme, permission, grant holder, expanded membership, owner, decision, and action. This is the handoff for approval and audit.
Decision table
| Signal | What to verify | Decision or evidence |
|---|---|---|
| Whether the user has product access before project permissions matter | Confirm the current state, owner, and source before acting. | Preserve the reason and evidence in the review record. |
| Which permission scheme controls the project | Confirm the current state, owner, and source before acting. | Preserve the reason and evidence in the review record. |
| Which project roles include the group or user | Confirm the current state, owner, and source before acting. | Preserve the reason and evidence in the review record. |
| Whether Browse Projects is granted through more than one path | Confirm the current state, owner, and source before acting. | Preserve the reason and evidence in the review record. |
Common mistakes
Most cleanup errors happen when an admin treats a partial signal as a complete answer. These are the failure modes to watch for on this topic:
- Starting with group removal instead of tracing the full path.
- Using Permission helper as the whole audit record.
- Ignoring global permissions when the symptom is broad capability.
- Stopping at a project role name without expanding members.
Checklist
- Write down the user, project, work item if relevant, and exact permission.
- Confirm Jira app access.
- Check global permissions when the symptom is site-wide capability.
- Find the active permission scheme and Browse Projects grant.
- Resolve role and group membership all the way to users.
- Save the trace with owner decision and evidence before changing access.
Official Atlassian references
- Atlassian Support: How does app access work?
- Atlassian Support: What are global permissions, and what do they control?
- Atlassian Support: What are permission schemes in Jira?
- Atlassian Support: How to use space roles
- Atlassian Support: Check a user's access from a work item
- Atlassian Support: Find groups used in Jira Cloud permission schemes