Skip to content
Foundation Docs

Permission model

Foundation’s permission model combines two layers: your role on a specific lens, and your permissions in Jira itself. Understanding both is the fastest way to debug why a teammate can or can’t see something.

Read this page before you share any lens more widely.

Four lens permission levels

Section titled “Four lens permission levels”

Every grant on a lens has one of four levels, from least to most powerful:

  • View — open the lens, see its tree, read columns. Cannot edit anything.
  • Edit — everything in View, plus inline edit, drag-and-drop, and bulk edit on issues you can edit in Jira.
  • Edit generators — everything in Edit, plus create, modify, and run Sync Agents.
  • Control — everything in Edit generators, plus share the lens, change other people’s permissions, and delete the lens.

The owner of a lens always has implicit Control — you can’t remove your own ownership, only transfer it.

Grantees can be users, groups, or roles

Section titled “Grantees can be users, groups, or roles”

When you share, you can grant to:

  • A specific user (by name or Atlassian account).
  • A Jira group — every current and future member inherits the level.
  • A Jira project role — handy when your teams already follow project-role conventions.

Groups and roles resolve to members at check time, so adding someone to a group automatically grants them access.

Jira BROWSE decides which issues show up

Section titled “Jira BROWSE decides which issues show up”

Lens-level access gets you into the lens. Jira-level BROWSE decides which rows you actually see inside it.

  • Foundation batch-checks BROWSE for every issue in a lens when you open it.
  • If you lack BROWSE on an issue, that row is hidden from your view.
  • Hidden parents hide their children — if you can’t see an epic, its stories stay hidden too.
  • The result is cached for 15 minutes per user, so permission changes take up to that long to propagate.

This means two people with the same lens permission can legitimately see different sets of rows.

Fail-open on Jira outages

Section titled “Fail-open on Jira outages”

If Foundation can’t reach the Jira API to verify BROWSE, it assumes you do have access rather than hiding everything. This prevents a Jira outage from looking like a data loss. When Jira comes back, the next load re-checks.

Quick decision guide

Section titled “Quick decision guide”
  • Sharing a lens with an executive for read-only? View.
  • Sharing with a team who should edit their own work? Edit.
  • Sharing with a portfolio manager who tunes Sync Agents? Edit generators.
  • Co-owners who should manage sharing? Control.
Section titled “Related”