Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

Recognition

  • Give kudos
  • My kudos

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Update Space Permissions without Space Admin Part 1

We wanted to provide certain members of our organization the ability to manage permissions within their Confluence space, however we did not want to give them the space administrator permission. Unfortunately, Confluence doesn't allow for that and it doesn't look like this is something Atlassian will consider in the future based on this related ticket (for viewing space permissions) CONFSERVER-21661. I was able to get around this by using ScriptRunner for Confluence. 

If you're familiar with ScriptRunner, it provides you with the option of creating a custom REST Endpoint that you can call and execute a script. So using this feature I wrote the following script that will assign space permissions based on the parameters delivered with the REST call.

import com.onresolve.scriptrunner.runner.rest.common.CustomEndpointDelegate 

import groovy.transform.BaseScript

import com.atlassian.sal.api.component.ComponentLocator
import com.atlassian.confluence.spaces.SpaceManager
import com.atlassian.confluence.spaces.Space
import com.atlassian.confluence.security.DefaultSpacePermissionManager
import com.atlassian.confluence.security.SpacePermissionManager
import com.atlassian.confluence.security.SpacePermission
import com.atlassian.confluence.user.ConfluenceUserManager
import com.atlassian.user.UserManager
import com.atlassian.confluence.user.ConfluenceUser

import javax.ws.rs.core.MultivaluedMap
import javax.ws.rs.core.Response

@BaseScript CustomEndpointDelegate delegate

//Change <Your Admin Group> to the name of you group you use for system administrators.
//This will only allow users in the admin group to execute the REST call.
updatePermissions(httpMethod: "GET", groups: [<Your Admin Group>]){ MultivaluedMap queryParams ->

def spaceManager = ComponentLocator.getComponent(SpaceManager)
def spacePermissionManager = ComponentLocator.getComponent(SpacePermissionManager)
def userManager = ComponentLocator.getComponent(UserManager)
def dSpacePM = ComponentLocator.getComponent(DefaultSpacePermissionManager)
def space = spaceManager.getSpace(queryParams.getFirst("spaceKey") as String)
def user = userManager.getUser(queryParams.getFirst("user") as String) as ConfluenceUser
def spacePermissionToSave
def permissions = dSpacePM.getAllPermissionsForUser(user)

//Remove all permissions for the user from the space.
permissions.each { perm->
if (perm.getSpace().getName() == space.getName())
{
spacePermissionManager.removePermission(perm)
}
}

//Apply the permissions selected based on the parameters in the REST call. Note, permissions I never want used will never be set, i.e. no backdoor to just make the REST call to get admin permissions.
if (queryParams.getFirst("view") == "true")
{
spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.VIEWSPACE_PERMISSION, space, user)
spacePermissionManager.savePermission(spacePermissionToSave)
}
if (queryParams.getFirst("removeOwn") == "true")
{
spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.REMOVE_OWN_CONTENT_PERMISSION, space, user)
spacePermissionManager.savePermission(spacePermissionToSave)
}
if (queryParams.getFirst("createEditPage") == "true")
{
spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.CREATEEDIT_PAGE_PERMISSION, space, user)
spacePermissionManager.savePermission(spacePermissionToSave)
}
if (queryParams.getFirst("removePage") == "true")
{
spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.REMOVE_PAGE_PERMISSION, space, user)
spacePermissionManager.savePermission(spacePermissionToSave)
}
if (queryParams.getFirst("editBlog") == "true")
{
spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.EDITBLOG_PERMISSION, space, user)
spacePermissionManager.savePermission(spacePermissionToSave)
}
if (queryParams.getFirst("createAttachment") == "true")
{
spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.CREATE_ATTACHMENT_PERMISSION, space, user)
spacePermissionManager.savePermission(spacePermissionToSave)
}
if (queryParams.getFirst("removeAttachment") == "true")
{
spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.REMOVE_ATTACHMENT_PERMISSION, space, user)
spacePermissionManager.savePermission(spacePermissionToSave)
}
if (queryParams.getFirst("comment") == "true")
{
spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.COMMENT_PERMISSION, space, user)
spacePermissionManager.savePermission(spacePermissionToSave)
}
if (queryParams.getFirst("setPagePermissions") == "true")
{
spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.SET_PAGE_PERMISSIONS_PERMISSION, space, user)
spacePermissionManager.savePermission(spacePermissionToSave)
}
if (queryParams.getFirst("exportSpace") == "true")
{
spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.EXPORT_SPACE_PERMISSION, space, user)
spacePermissionManager.savePermission(spacePermissionToSave)
}

return Response.ok().build();
}

The script above restricts this call to users within the administrators group. I created a service account that I use for this purpose and added the account/user to my admin group so it can execute the script.

So now all you have to do is make a rest call with user that belongs to the admin group identified in the script using a format of https://<base-url>/rest/scriptrunner/latest/custom/updatePermissions?spaceKey=<Your Space Key>&user=<username of the user granting permission to>&view=<true/false>&createEditPage=<true/false>&removePage=<true/false>&editBlog=<true/false>&createAttachment=<true/false>&removeAttachment=<true/false>&comment=<true/false>&setPagePermissions=<true/false>&exportSpace=<true/false>&removeOwn=<true/false>

So, how do you let your non-admins call this REST endpoint? You can implement that part in many ways, see how I did this in part 2.

1 comment

(EDIT: I actually completely misunderstood your use case! So I removed the first part of my comment.)

I also like your solution since people that already have Script Runner won't need an extra app! :)

Cheers,
Sven

Like # people like this

Comment

Log in or Sign up to comment
TAGS
Community showcase
Published in Confluence Cloud

Share your Confluence Cloud experience for a chance to win $500!

Take our 5-minute survey to win a $500 Visa gift card! Are you currently using Confluence Cloud? We want to hear from you! Fill out this quick survey about your Confluence Cloud experience so we ...

242 views 5 13
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you