ACP-120 Domain 3: Product and Project Access and Permissions (30-35%) - Complete Study Guide 2026

Why Domain 3 Defines Your ACP-120 Score

If you are preparing for the Atlassian Certified Professional - Jira Administration for Cloud exam, Domain 3 is the single domain you cannot afford to treat lightly. At 30-35% of the total exam weight, Product and Project Access and Permissions is the largest content area by a significant margin. Every other domain - from User Features at 10-15% to Workflows and Automation at just 5-10% - covers less ground.

That weighting is not arbitrary. Access and permission management is where Jira Cloud administrators spend the most real-world effort. Misconfigured permission schemes cause data exposure incidents, support tickets, and failed audits. Getting this layer right is the job. Atlassian built the ACP-120 to test whether you truly understand how permissions layer, conflict, and cascade - not just whether you can navigate the admin UI.

With up to 75 questions across 180 minutes and a passing threshold of 63%, you can do the rough math: Domain 3 contributes somewhere around 22 to 26 questions. Clear those and you have a substantial head start on passing. Struggle with them and you may fall short even if you excel in every other domain. For a broader view of how all eight domains compare, see the ACP-120 Exam Domains 2026: Complete Guide to All 8 Content Areas.

Exactly What Domain 3 Tests

The ACP-120 Exam Topics v3 (April 2021) organizes Domain 3 around several distinct capability clusters. Understanding which clusters exist - and which ones generate the most exam questions - shapes how you allocate your study time.

Notice that this domain spans multiple layers of the Jira Cloud architecture. You are not just learning one menu - you are learning how an action at the product-access level interacts with a permission scheme entry, which interacts with a project role assignment, which interacts with an issue security level. That layered complexity is what makes Domain 3 challenging and what the exam specifically probes.

Permission Schemes: The Core of Domain 3

Permission schemes are the central mechanism through which Jira controls who can do what inside a company-managed project. Every company-managed project is associated with exactly one permission scheme. That scheme maps individual permissions - such as Browse Projects, Create Issues, Edit Issues, Delete Issues, Manage Sprints, and Close Issues - to entities like users, groups, project roles, or the reporter and assignee of an issue.

What the Exam Tests About Permission Schemes

The ACP-120 does not ask you to memorize a list of every available permission. Instead, it presents a scenario - for example, a team lead who needs to close issues but not delete them, or a client group that must view a project but never add comments - and asks which permission scheme configuration achieves that outcome without over-granting access.

Key concepts to master:

• Permission inheritance and scheme sharing: Multiple projects can share one scheme. Changing the scheme affects all projects attached to it simultaneously. The exam regularly tests whether you understand that shared scheme impact.
• Scheme copies vs. direct edits: When you need to adjust permissions for one project without affecting others, you copy the scheme first. The exam may present this as a scenario where a candidate must decide whether to edit in place or copy.
• Anonymous access: The Browse Projects permission can be granted to Anyone (including anonymous users). This is a classic security-misconfiguration scenario the exam uses.
• Application Access vs. Browse Projects: Having a Jira Software license does not automatically grant Browse Projects on a specific project. The distinction between product access and project-level browse permission is a frequent exam point.

Project Roles and Role Membership

Project roles are one of the most powerful - and most misunderstood - features in Jira Cloud administration. A project role is a named category (like Developer, QA Lead, or Stakeholder) that exists at the global level. Individual projects then populate that role with specific users or groups. Permission schemes reference the role, not the individuals, which keeps schemes reusable across many different teams.

Default Membership vs. Project-Specific Membership

This distinction appears repeatedly on the ACP-120. Default role membership applies to every project that uses the role unless the project overrides it. Project-specific membership overrides the default for that project only. The exam will present scenarios where a developer is unexpectedly getting access to a new project and ask you to diagnose why - the answer is almost always default role membership.

Role-Based vs. Group-Based Permissions

Product Access, Site Access, and Managed Accounts

Jira Cloud operates within the broader Atlassian Cloud infrastructure, and Domain 3 requires you to understand the layers above the project level. Site access refers to whether a user can log in to your Atlassian site at all. Product access refers to whether a logged-in user has a license for a specific product (Jira Software, Jira Service Management, etc.). Project-level permissions operate beneath both of these.

Why These Layers Matter for the Exam

A user who has site access but no Jira Software product access cannot interact with Jira Software projects regardless of how the permission scheme is configured. This is a fundamental architectural point the ACP-120 tests through troubleshooting scenarios: a user complains they cannot see a project, and the correct diagnosis is that they were never granted product access - not that the permission scheme is wrong.

For context on how user provisioning connects to the earlier domain work, the ACP-120 Domain 1: User Features (10-15%) study guide covers user management fundamentals that feed directly into Domain 3 scenarios.

Issue Security Schemes

Issue security is a separate access layer that controls which users can see individual issues, even within a project they already have Browse Projects permission on. This is a critical distinction. Issue security does not replace permission schemes - it supplements them with finer-grained, issue-level visibility control.

How Issue Security Works

• An issue security scheme defines one or more security levels (e.g., Internal Only, Management Only, Public).
• Each security level specifies which users, groups, or roles can view issues at that level.
• A reporter or admin assigns a security level to an individual issue.
• If a user does not belong to the security level on an issue, the issue is invisible to them - even if they have Browse Projects permission on the project.

Common Exam Scenarios Around Issue Security

The ACP-120 frequently tests issue security through scenarios where a user can see most project issues but mysteriously cannot see a specific issue. The correct answer involves checking the issue's security level and whether the user is in the corresponding security level membership. A secondary scenario involves a project that shares an issue security scheme - changing the scheme affects all attached projects simultaneously, mirroring the shared-scheme problem for permission schemes.

Global Permissions vs. Project Permissions

Global permissions apply across the entire Jira instance, not to individual projects. They control high-level capabilities such as administering Jira, creating projects, managing users, and bulk-changing issues. Project permissions, by contrast, are scoped to a single project through its permission scheme.

The ACP-120 tests this distinction in troubleshooting scenarios. For example: a user needs to be able to administer a specific project only - this requires the Administer Projects project permission, not a global Jira Administrators membership. Granting global administrator access to accomplish a project-scoped need is an over-permission error the exam specifically expects you to identify and avoid.

For candidates looking at how the difficulty of questions like these is perceived across all domains, the Complete Difficulty Guide for the ACP-120 provides useful context on what makes Domain 3 particularly demanding compared to other sections.

How the Exam Questions Phrase Domain 3 Scenarios

Understanding the content is necessary but not sufficient. You also need to understand how the ACP-120 formats its questions, because the question style itself is a skill to practice. The exam uses multiple-choice, multiple-response, and scenario/configuration-reasoning items across its 75 questions and 180-minute window.

Domain 3 questions tend to follow these patterns:

1. Identify the right layer: "A user can log in to the site but cannot see Project X. What is the most likely cause?" - You must determine whether the issue is product access, Browse Projects permission, or an issue security level.
2. Choose the least-privilege solution: "A consultant needs to create and edit issues in one project only. What is the correct configuration?" - You must grant the minimum necessary permissions without over-extending access.
3. Diagnose shared-scheme side effects: "An admin modified a permission scheme to allow external users to browse Project A. Users in Projects B, C, and D are now reporting unexpected access. Why?" - You must recognize the shared scheme relationship.
4. Multiple-response identification: "Which two of the following entities can be assigned to a permission scheme entry?" - You must know all valid entities: users, groups, project roles, reporters, assignees, and others.

Practicing these question types against realistic scenarios is the fastest preparation method. The ACP-120 Exam Prep practice test platform includes scenario-based Domain 3 questions built around the exact configuration-reasoning format used on the live exam.

A Domain-Weighted Study Schedule

Because Domain 3 carries so much weight, it deserves the most dedicated preparation time. Here is a four-week schedule calibrated to ACP-120 domain percentages:

The Five Mistakes Candidates Make in Domain 3

Reviewing where candidates go wrong in Domain 3 is just as valuable as reviewing what to study. These five patterns consistently trip up people who otherwise know Jira administration well.

1. Confusing permission levels with roles. A project role is not a permission - it is a container for people. Permissions are granted to roles. Candidates who blur this distinction consistently fail multi-step scenario questions.
2. Forgetting team-managed project permissions. Team-managed (formerly next-gen) projects do not use traditional permission schemes. Access in team-managed projects is controlled through simpler access levels (Private, Limited, Open). The exam expects you to know this architectural difference.
3. Underestimating anonymous access scenarios. Questions about public-facing Jira projects, where Browse Projects is granted to Anyone, appear more often than candidates expect. Know the security implications cold.
4. Treating issue security as optional knowledge. Because issue security is used less commonly in small teams, candidates under-study it. The ACP-120 tests it proportionally more than many candidates anticipate.
5. Skipping the troubleshooting angle. It is not enough to know how to configure permissions - you must know how to diagnose why a user cannot perform an action. Practice the diagnostic reasoning: layer by layer, from site access → product access → project permission → issue security level.

For a deeper look at the overall exam challenge level and how Domain 3 compares with others in terms of question difficulty, see ACP-120 Pass Rate 2026: What the Data Shows.

Frequently Asked Questions