Ultimate Permission Manager has been acquired
Effective May 3, 2019, this app has been removed from the Marketplace and is no longer available for purchase or maintenance renewal. In accordance with Atlassian's End of Life policy, the Ultimate Permissions Manager app will have support for two years, with an end of life date of May 3, 2021. While the app is supported, please raise issues with Atlassian directly via support.atlassian.com.
"Do you really know Confluence Permissions?" is a series of articles focusing on some rarely known, non-trivial and sometimes absolutely surprising aspects of Confluence Permissions. Stay tuned to learn everything we've found through our exciting journey to discover the absolute details.
You may ask yourself, what is so exciting about Confluence permissions, it is well documented, you just set some flags on users or groups and you're done. However, we found this is far from being true.
Confluence permissions are not only have multiple levels (site, space, page) but they are interfering, they have effect on each other and often result in unexpected effective permissions that are hard to spot and understand in a Confluence instance.
In other words, effective permissions sometimes derive from implicit combinations of individual permissions. Or effective permissions are permissions users effectively have but not necessarily directly assigned.
Due to the levels and complexity of (effective) permissions, page restrictions, spread through your dozens or hundreds of spaces and pages in your Confluence instance, unwanted access to pages may be given to users or groups risking information leak. This is just one example for why understanding permissions is crucial to operate mid sized or large Confluence instances.
In this and subsequent articles we'll show case examples and hidden secrets of Confluence's permission systems. And we'll show you how to manage permissions all over your Confluence site. Let's start our journey!
Brief summary of the situation:
- Ben is a user on your Confluence space
- Ben isn't a member of any group in your Confluence (but he has Global Use access, so he can log in)
- Ben is a member of your security team, and he is responsible for managing Page restrictions
- So you - as a Space Administrator - set up Ben a "Restriction Add/Delete" permissions in the Space Permission (as you can see below)
That's looks great, isn't it?
Not really... Sooner or later Ben will definitely send you an error message "Hi, unfortunately I couldn't manage any Page Restriction (see the attached print screen). Please correct it"
What is wrong with the permission setting? You followed the "Principle of least privilege", set up the needed permissions, but Ben is an unhappy users, he could not do his job.
A user couldn't manage page restriction despite having a Restriction Add/Delete permission in the Space.
Believe it or not, you have to add a "Page Add" permission to Ben.
Setting up a Restrictions Add/Delete and Page Add permission for Ben as you can see below:
leads to the wanted permissions, so Ben can manage the page restrictions.
Are you surprised? We definitely were
Never forget to add Page Add permission to a user who has to manage restrictions on you Confluence Space
META-INF Ltd. is the creator of the Ultimate Permission Manager for Confluence.
This page has no comments.