To set visibility of an issue, a comment, or an attachment, you need to use visibility attribute of the respective entity. However, by default this attribute has a common ancestor type for the both actual limited and unlimited types of visibility. Because of this, to update the visibility of an entity, you must provide explicitly the actual $type of the visibility attribute that you need in the body of a POST request.
To limit visibility for an entity, you must specify "$type": "LimitedVisibility" and then permittedGroups and/or permittedUsers attributes. permittedGroups and permittedUsers attributes should contain collections of entity ID's for groups and users, respectively, that should be able to view the target entity.
For example, the following JSON limits visibility of an entity to a group and two particular users: