User with "Project Create" permission gets administrative access as Project Admin
Hi everyone,
I've noticed an issue regarding the permissions of users who can create projects.
Currently, if a user is assigned to a group with the "Project Create" permission, they are able to create a project as expected. However, upon creating the project, the user is automatically assigned the "Project Admin" role.
The problem is that with the "Project Admin" role, the user gains access to the global administration settings. They are then able to edit custom fields, install/modify apps, change workflows, and other administrative settings that should ideally be restricted to Global Administrators.
Is this the intended behavior, or is there a way to limit the "Project Admin" role so that it only applies to project-specific settings and not the overall system administration?
Thanks in advance for your help!
Please sign in to leave a comment.
Hi Joern! This is the intended behavior. When a user creates a project, YouTrack automatically grants them the Project Admin role scoped to that project, since the person who creates a project needs to be able to manage it. The Project Creator role docs describe this directly.
The Project Admin role includes the Update Project permission, which is why users with this role can see sections such as Custom Fields, Workflows, and Apps in the Administration menu. That said, the access is project-scoped, not global. Users can see the full list of custom fields on the instance to reuse existing ones when configuring their project, but they can only modify fields used exclusively in their project. Shared fields are read-only for them. Similarly, for workflows, they can read all workflows and create new ones, but can only modify workflows attached to their own project. True global settings — users, groups, auth modules, backup, instance configuration — are not accessible to Project Admins at all. One more thing worth noting: if a role containing only globally scoped permissions (such as System Admin) is assigned at the project level, the assignment has no practical effect, since project-scoped grants activate only project-scoped permissions.
As for limiting what Project Admin can do — this isn't currently possible. The Update Project permission is all-or-nothing for project management rights. Granulating it into more specific sub-permissions is a frequently requested feature tracked in JT-46360 — feel free to vote for it.