Ultimate Permission Manager has been acquired

Atlassian has acquired the Ultimate Permissions Manager app. For more details, please see the Atlassian blog post and META-INF blog post

Effective May 3, 2019, this app has been removed from the Marketplace and is no longer available for purchase or maintenance renewal. In accordance with Atlassian's End of Life policy, the Ultimate Permissions Manager app will have support for two years, with an end of life date of May 3, 2021. While the app is supported, please raise issues with Atlassian directly via support.atlassian.com.

"Do you really know Confluence Permissions?" is a series of articles focusing on some rarely known, non-trivial and sometimes absolutely surprising aspects of Confluence Permissions. Stay tuned to learn everything we've found through our exciting journey to discover the absolute details.

• Some Background
• Information leakage in your organization
• New users can have permissions because of default groups
• Be careful with default space permissions
• Check the global configuration to deny anonymous access
• Always double-check a group permissions before adding a new user
• Lessons learned

Some Background

You may ask yourself, what is so exciting about Confluence permissions, it is well documented, you just set some flags on users or groups and you're done. However, we found this is far from being true.

Confluence permissions are not only have multiple levels (site, space, page) but they are interfering, they have effect on each other and often result in unexpected effective permissions that are hard to spot and understand in a Confluence instance.

In other words, effective permissions sometimes derive from implicit combinations of individual permissions. Or effective permissions are permissions users effectively have but not necessarily directly assigned.

Due to the levels and complexity of (effective) permissions, page restrictions, spread through your dozens or hundreds of spaces and pages in your Confluence instance, unwanted access to pages may be given to users or groups risking information leak. This is just one example for why understanding permissions is crucial to operate mid sized or large Confluence instances.

In this and subsequent articles we'll show case examples and hidden secrets of Confluence's permission systems. And we'll show you how to manage permissions all over your Confluence site. Let's start our journey!

Information leakage in your organization

To carry on a Confluence, three things are necessary: keep the secret, keep the secret, and yet even keep the very secret... but sometimes your secret information is leaking.
According to Wikipedia: "Information leakage happens whenever a system that is designed to be closed to an eavesdropper reveals some information to unauthorized parties nonetheless."

Is it a common problem for organizations? We think it is. Let's see some examples:

• If you google information leakage policy you can get huge amount of pages: ~ 7.760.000
• just for fun if you google for Atlassian you can get ~ 9.330.000 pages
• There are numerous article on the internet about big data breaches and information leaks of the history
• even big companies (British Airways, Mozilla, NASDAQ, AT&T...) have faced with this problem as you can see on this beautiful infographics
• "51% of employees believe safeguarding corporate information is IT’s problem, not theirs" reporting by Symantec
• What are the primary causes of breaches? "42% employee mistake or unintentionally action" published on prot-on.com

Customers ask very often to do a kind of "Healthcheck" service on their Atlassian software. During these cooperation we found some "easy to understand but easy to mess up" configuration resulting information leak. This article is about 4 useful tips for preventing unpleasant situation for Confluence or Space Administrators.

New users can have permissions because of default groups

"confluence-users is the default group into which all new users are assigned. Permissions defined for this group will be assigned to all new Confluence users." - Confluence documentation about Confluence Groups.

So be careful creating user who is not a member of your organization, for example, an external partner . Maybe these users should not be members of confluence-users group because it grants them unwanted permissions by default that allow them to access spaces for internal uses.

Remember

Every user have to have at least "Can Use" permission to log in to Confluence. So if you do not add them to any groups, you'll have to assign them this permission individually. Further details about this permission are here.

Be careful with default space permissions

Confluence makes it very easy to set up default permissions for newly created spaces. It can speed up the space creating process for Space Administrators. This setting can be found in the "Confluence administration" interface, under Space Permissions, Default Space Permissions (see the documentation here).

By default confluence-users is granted with the following permission, and you can add or edit permissions for any groups as you like:

Most cases not only Confluence Administrators but also project leaders, department leads have Create Space permissions on their Confluence site. It decreases the load of IT support, and make your process faster, so we love this feature. But never forget to think over the visibility of the new space. If you are creating a very sensitive space - and have a supportive default permission settings good for most cases - after the space is created, delete everything from the Space Permissions and set up carefully with the proper ones.

If you work with extremely sensitive information we recommend you to delete everything (even confluence-users!) from the default space permission setting. Doing this guarantees preventing this kind of information leakage.

Check the global configuration to deny anonymous access

Confluence is also very handy tool for creating public access knowledge bases. This is provided by the "anonymous access" feature, so anybody can read the articles without logging in to the site. If your organization rules do not allow to access any content without login, check the global permission setting of the Confluence and deny the anonymous "Can Use" permission like this:

By unchecking "Can Use", anonymous can not access any space, any content, even if Confluence Administrators or your Space Admins accidentally granted any kind of space level permission in the Space Permission interface to the anonymous.

Always double-check a group permissions before adding a new user

Groups - as everywhere - can really speed up and make clear your permission settings. On the other hand never forget to double-check a group permissions before adding a new user/employee into it avoid unwanted access to important information. Group permission checking is not so easy in Confluence by default, because you have to go through all of the spaces and check the used permission settings one-by-one but there is an addon at the marketplace which can help you a lot.

Lessons learned

Confluence is designed for information sharing and collaboration

• not forget that new users can have unwanted permissions coming from their default groups
• be careful setting up the proper permissions for sensitive pages and spaces, most cases the default settings can be too permissive
• if your organization rules do not allow to access any content without login deny the Anonymous "Can Use" permission
• never forget to double-check group's permissions before adding a new user/employee to avoid unwanted access

META-INF Ltd. is the creator of the Ultimate Permission Manager for Confluence.

Ultimate Permission Manager has been acquired

Atlassian has acquired the Ultimate Permissions Manager app. For more details, please see the Atlassian blog post and META-INF blog post

Effective May 3, 2019, this app has been removed from the Marketplace and is no longer available for purchase or maintenance renewal. In accordance with Atlassian's End of Life policy, the Ultimate Permissions Manager app will have support for two years, with an end of life date of May 3, 2021. While the app is supported, please raise issues with Atlassian directly via support.atlassian.com.