Restrict Issue Visibility with Permissions
The default Reporter role in YouTrack is designed to let users create issues and monitor their progress in YouTrack. However, the default permissions that are granted to this role also let reporters view and update issues that were created by other users in a project.
One of the most common access management use cases is to restrict access to users so that they can only see the issues that they reported themselves. Issues that were reported by other users are hidden. This type of setup is especially relevant when the issues can contain sensitive information that should only be available to a select group of authorized users. The original reporter should still be able to view the original request and provide additional information, when needed.
To illustrate this use case, consider the following scenario.
Imagine that you have an accounting team whose members help other employees pay work-related invoices. The team processes payments for business trips, advertising, conferences, and the like. They use YouTrack as a means of transparent communication with other departments. Various employees create issues that contain the details of the requested payment and a copy of the invoice. The payment details and invoice are considered to be sensitive data. Therefore, each issue must visible only to the reporter and the members of the accounting team.
Revoking the Read Issue Permission
The key to satisfying this use case is the Read Issue permission.
- The Read Issue permission grants users the ability to view issues (public fields only) in a project.
- The Create Issue permission not only lets users create issues in a project but also gives them inherent read access to the issues they create themselves.
All you need to do is revoke the Read Access permission from your group of reporters.
To apply this restriction in all projects:
- Revoke the Read Issue permission from the default Reporter role.
- Assign the modified Reporter role to the All Users group in the Global project.
- Revoke all other roles from the All Users group.
To apply this restriction in specific projects:
- Check the All Users group for roles that contain the Read Issue permission in the Global project. If present, revoke these roles from the All Users group.
- Create a dedicated group and add all of the users who are allowed to report issues as members.
- Create a custom role with a name like Restricted Reporter and grant it all of the permissions that are assigned to the default Reporter role except for Read Issue. For the list of permissions that are assigned to the default Reporter role, see Default Roles.
- Assign the Restricted Reporter role to the dedicated group in your project.
In either case, members of the project team and other users who are assigned higher levels of access are able to view and update all issues in the project. You can grant higher levels of access to specific users on a per-project basis.
Alternatives to Permission-based Access Restrictions
To read an issue, a user must have permission to read the issue in the project and belong to the list of users for whom the issue is visible. YouTrack checks the permissions first. If they are sufficient, it then determines whether the user is a member of any group for which the issue is visible or has been added to the Visible to list as an individual.
You can use the issue visibility settings to make users only see the issues that they reported themselves. If permission-based visibility restrictions alone do not support your use case, consider the following alternatives:
|Update issue visibility settings manually||To hide issues from other users, the reporter can change the issue visibility from All Users to a dedicated group that excludes other reporters. In the use case described here, the reporter can restrict issue visibility to members of the accounting team. The limitation to this approach is that reporters must always remember to set issue visibility correctly. For more information, see Set Issue, Comment, and Attachment Visibility.|
|Update issue visibility automatically||You can update the visibility settings automatically when a reporter creates an issue. This behavior is supported by workflows. For a detailed description with sample workflows, see Restrict Issue Visibility with Workflows.|