System-generated Groups
When simplifying the permission model, certain permissions may be removed and replaced with the ability to manage access through an optional feature. To ensure access is preserved during this transition, the system automatically creates a group, adds all users who previously had the removed permission as members of this group, and then associates the group with the feature. This ensures a seamless migration while maintaining the same level of access for affected users.
Reports Feature Group
In YouTrack version 2026.1, specific permissions for creating and reading reports were replaced with the optional Reports feature. By default, this feature is available to members of the Registered Users group.
During upgrade, the system checks for roles that included the retired Read Report or Create Report permissions. In situations where a subset of the Registered Users group was given access to read or create reports, the system automatically creates a Reports Feature group and gives it access to the optional Reports feature.
Read Groups Feature Group
Starting with version 2025.3, access to user groups in YouTrack is determined globally:
Users can view a group if they are members of a group stored in the Visible to setting for the group.
Users can update a group if they are members of a group stored in the Updatable by setting for the group.
When transitioning to this model from the old project-based permission structure, new groups were automatically created to preserve existing access for users who previously had project-specific Update Group permissions. These groups were named <project name> user group managers and were added to the group access settings for relevant groups. Any users granted Update Group permission in a specific project were made members of these system-generated groups during the upgrade to version 2025.3 or later.
Upgrade to version YouTrack 2026.1 further simplified the model by eliminating group permissions. During upgrade, a one-time migration may create an auto-generated Read Groups Feature Group. This group preserves existing access by giving it access to the optional Read Groups feature.
The migration creates this group only if it finds at least one user who had Read Group access before the upgrade and would lose equivalent access under the new scheme. If no such users are found, no group is created and nothing is added to the Read Groups feature.
Membership in the Read Groups Feature Group is given to:
Users who were granted access to the legacy Read Group permission.
For upgrades from 2025.3 and later, users who had read access as members of groups referenced in Visible to settings for specific groups.
Membership was not granted to users who are able to read groups under the new scheme due to broader administrative permissions (Update Project or Low-level Admin Read).
Read User Full Group
One of the major changes to the permission model introduced in YouTrack 2026.1 reduced the number of roles that spanned multiple permission scopes to the default System Admin role. As a result, permissions with global scopes were removed from the default Project Admin and Contributor roles. Since the Read User Full permission is globally scoped, it was removed from both roles.
To preserve access for users who were granted either of these roles in specific projects, any user granted Read User Full was added to an auto-generated Read User Full Group. By default, this group is assigned the role named Read User Full Role at the global level.
This isolates a sensitive permission into a single place (the Read User Full Role), while still preserving existing access.
Create Project Group
The refactoring that preserves access to the Create Project follows a similar upgrade pattern as for the Read User Full permission described in the previous section. It removes a powerful permission from a broad default role while ensuring nobody loses effective access after the upgrade.
In this case, the globally scoped Create Project permission was removed from the default Project Admin role. To preserve access, users who were granted this role in specific projects were added to an auto-generated Create Project Group which is assigned the default Project Creator role. To learn more about this role, see Project Creator.
The purpose here again was to isolate a powerful global permission from a project-scoped role while still preserving existing access rights.
Create User Group
The group named Create User Group preserves access to the Create User permission when upgrading to the latest permission model. As with the Create Project permission, Create User is a globally scoped permission that was removed from the default Project Admin role.
This group contains all users and groups previously granted the Project Admin role and is granted the default User Manager role. To learn more about this role, see User Manager.
Read Organization Group
The last group to be generated automatically during the upgrade to YouTrack 2026.1 is named Read Organization Group. It preserves access to the Read Organization permission, a globally scoped role that was removed from the default Project Admin and Contributor roles.
During upgrade, any user granted these roles was added to an auto-generated Read Organization Group. By default, this group is assigned a role named Read Organization Role at the global level.