So far, all content we have created can be viewed and edited by anyone who has access to Confluence, and even without logging in if you're enabled an anonymous login. When your company's information and documentation is in Confluence, allowing anyone to view or edit them might not be the best security setting.
Confluence gives you all the tools to make your installation as open or as closed as you would like it to be. While we go over the options and how to enable them, please keep the following points in mind:
So, restrict a space or page only if you have a good reason for doing so.
In a situation where everybody works on documents on their own desktop, people aren't used to getting feedback and input. This can be a cultural shift that a company has to go through while starting to work with Confluence. Before restricting access to a space, page, or blog post, ask yourself, "Why should this document be private and what is the harm in making it more visible within my organization?"
Global permissions are site-wide permissions and can be assigned only by system administrators and Confluence administrators. Global permissions can be assigned to groups, individual users, and anonymous users.
Before we go into how to change the different global permissions, it's good to know the different administrator roles:
How the different roles are related to each other is illustrated in the following diagram:
As a user within the confluence-administrators group is allowed to view and edit all content, it is recommended to use a different user account for day-to-day work. With the System Administrator permission, all administrative functions can be performed but your administrators aren't allowed to view all content.
A super user account would only be needed if restricted content can't be accessed by anyone anymore. The super user can still access the content and restore the restrictions.
If you are a Confluence administrator, you can add users and groups to the global permissions to determine their permissions.
To view the global permissions:
To add permissions for a group, perform the following steps:
To add permissions for a user, perform the following steps:
To add or edit the permissions of groups and users, perform the following steps:
In the previous steps we learned how to manage the different global permissions. In the following table those different global permissions are explained. These permissions are also displayed in the previous screenshot.
We have already learned that a user with System Administrator permission is allowed to perform all administrative functions within Confluence. A user with Confluence Administrator permission is only allowed to administrate just a subset of those functions.
You can give the Confluence Administrator permission to users who should be able to perform most administrative functions, but should not be able to perform functions that can compromise the security of the Confluence system.
The following functions are granted to the System Administrator permission but excluded from the Confluence Administrator permission to ensure your Confluence instance integrity and security.
Some things to keep in mind while working with global permissions are that users with:
Every space has its own set of permissions. These permissions determine the access to the space for specific users and groups. In order to assign these permissions, a user must be space administrator, that is, they should have the Admin permissions for that space.
The following is the list of different permissions you can set on a space level:
Permission |
Description |
---|---|
The user can view this space's content. This includes pages and blog posts. Without this permission the user cannot access the space at all. | |
The user can add and edit pages in this space. | |
The user is allowed to remove pages in this space. | |
The user is allowed to create and edit blog posts. | |
The user is allowed to remove blog posts in this space. | |
The user is allowed to make comments in this space. | |
The user is allowed to remove any comments in this space. | |
The user is allowed to add attachments to this space. | |
The user is allowed to remove any attachments in this space. | |
The user is allowed to delete mail items. | |
The user is allowed to export content from this space. | |
The user has administrative permissions over this space. |
If, by mistake, all administrative access to a space is removed, nobody has access to administer the space anymore. This could, for example, happen if somebody who was a space administrator leaves the company or a group with Space Administrator permissions is removed from Confluence. In such a case, somebody from the confluence-administrators group needs to help you to fix the permissions.
Permissions can be granted to groups or to individual users. You need to be a space administrator to assign space permissions. A Confluence administrator can also set the default permissions that will be applied when a space is created; this is explained in the following section.
To access the space permissions, you will need to perform the following steps:
On the space permission screen you will notice the following three sections:
To assign permissions to groups, perform the following steps:
To assign permissions to users:
To assign permissions to anonymous users:
Anonymous users can't be granted space administration rights or the permission to restrict pages.
Page restrictions are the lowest tier where you are able to control access to your content. With page restrictions you can control who can view or edit individual pages.
Before we get to how to set and manage page restrictions, it good to know how Confluence handles permissions and restrictions. Permissions and page restrictions work in a hierarchical manner. This means that a user who can access and modify global permissions can define which users can access and modify space permissions. Space administrators can then define which users have access to create and modify pages. These users can then apply viewing and editing restrictions to a page. Child pages inherit the viewing and editing restrictions from their parent.
If you translate this into a diagram, it will look something like this:
I already mentioned that child pages inherit the view restrictions set on the parent page. This is also true for child pages of those child pages and so on. If a view restriction is set to a page that already has inherited restrictions from its parent, users must satisfy both restrictions in order to see that page.
Edit restrictions are not inherited from the parent page, only from the space. Edit restrictions have to be reapplied to child pages.
We will first talk about viewing page restrictions.
When you are viewing a page with page restrictions applied to it, you will notice a small padlock icon in the byline of the page, directly below the page title. If you click on that icon, the page restrictions dialog will appear, displaying the full details on the page restrictions.
When you are editing a page, you will notice a restrictions button at the bottom of the screen. Clicking on this button will also display the page restrictions dialog.
Next we will take a look at setting page restrictions. In order to set page restrictions, perform the following steps:
To remove page restrictions, perform the following steps:
Next we will look at viewing restricted pages. As a space administrator you can view all pages that are restricted. From within this view, it is also possible to remove page restrictions. For example, you may need to do this when there is nobody who can access a certain page anymore.
18.118.37.154