Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Update Space Permissions without Space Admin Part 1

January 23, 2020

We wanted to provide certain members of our organization the ability to manage permissions within their Confluence space, however we did not want to give them the space administrator permission. Unfortunately, Confluence doesn't allow for that and it doesn't look like this is something Atlassian will consider in the future based on this related ticket (for viewing space permissions) CONFSERVER-21661. I was able to get around this by using ScriptRunner for Confluence. 

If you're familiar with ScriptRunner, it provides you with the option of creating a custom REST Endpoint that you can call and execute a script. So using this feature I wrote the following script that will assign space permissions based on the parameters delivered with the REST call.

import com.onresolve.scriptrunner.runner.rest.common.CustomEndpointDelegate 

import groovy.transform.BaseScript 

import com.atlassian.sal.api.component.ComponentLocator 
import com.atlassian.confluence.spaces.SpaceManager 
import com.atlassian.confluence.spaces.Space 
import com.atlassian.confluence.security.DefaultSpacePermissionManager 
import com.atlassian.confluence.security.SpacePermissionManager 
import com.atlassian.confluence.security.SpacePermission 
import com.atlassian.confluence.user.ConfluenceUserManager 
import com.atlassian.user.UserManager 
import com.atlassian.confluence.user.ConfluenceUser 

import javax.ws.rs.core.MultivaluedMap 
import javax.ws.rs.core.Response 

@BaseScript CustomEndpointDelegate delegate 

//Change <Your Admin Group> to the name of you group you use for system administrators. 
//This will only allow users in the admin group to execute the REST call. 
updatePermissions(httpMethod: "GET", groups: [<Your Admin Group>]){ MultivaluedMap queryParams -> 

  def spaceManager = ComponentLocator.getComponent(SpaceManager) 
  def spacePermissionManager = ComponentLocator.getComponent(SpacePermissionManager) 
  def userManager = ComponentLocator.getComponent(UserManager) 
  def dSpacePM = ComponentLocator.getComponent(DefaultSpacePermissionManager) 
  def space = spaceManager.getSpace(queryParams.getFirst("spaceKey") as String) 
  def user = userManager.getUser(queryParams.getFirst("user") as String) as ConfluenceUser 
  def spacePermissionToSave 
  def permissions = dSpacePM.getAllPermissionsForUser(user) 

  //Remove all permissions for the user from the space. 
  permissions.each { perm-> 
    if (perm.getSpace().getName() == space.getName()) 
    { 
      spacePermissionManager.removePermission(perm) 
    } 
  } 

  //Apply the permissions selected based on the parameters in the REST call. Note, permissions I never want used will never be set, i.e. no backdoor to just make the REST call to get admin permissions. 
  if (queryParams.getFirst("view") == "true") 
  { 
    spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.VIEWSPACE_PERMISSION, space, user)
    spacePermissionManager.savePermission(spacePermissionToSave) 
  } 
  if (queryParams.getFirst("removeOwn") == "true") 
  { 
    spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.REMOVE_OWN_CONTENT_PERMISSION, space, user) 
    spacePermissionManager.savePermission(spacePermissionToSave) 
  } 
  if (queryParams.getFirst("createEditPage") == "true") 
  { 
    spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.CREATEEDIT_PAGE_PERMISSION, space, user) 
    spacePermissionManager.savePermission(spacePermissionToSave) 
  } 
  if (queryParams.getFirst("removePage") == "true") 
  { 
    spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.REMOVE_PAGE_PERMISSION, space, user) 
    spacePermissionManager.savePermission(spacePermissionToSave) 
  } 
  if (queryParams.getFirst("editBlog") == "true") 
  { 
    spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.EDITBLOG_PERMISSION, space, user) 
    spacePermissionManager.savePermission(spacePermissionToSave) 
  } 
  if (queryParams.getFirst("createAttachment") == "true") 
  { 
    spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.CREATE_ATTACHMENT_PERMISSION, space, user) 
    spacePermissionManager.savePermission(spacePermissionToSave) 
  } 
  if (queryParams.getFirst("removeAttachment") == "true") 
  { 
    spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.REMOVE_ATTACHMENT_PERMISSION, space, user)
    spacePermissionManager.savePermission(spacePermissionToSave) 
  } 
  if (queryParams.getFirst("comment") == "true") 
  { 
    spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.COMMENT_PERMISSION, space, user) 
    spacePermissionManager.savePermission(spacePermissionToSave) 
  } 
  if (queryParams.getFirst("setPagePermissions") == "true") 
  { 
    spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.SET_PAGE_PERMISSIONS_PERMISSION, space, user) 
    spacePermissionManager.savePermission(spacePermissionToSave) 
  } 
  if (queryParams.getFirst("exportSpace") == "true") 
  { 
    spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.EXPORT_SPACE_PERMISSION, space, user) 
    spacePermissionManager.savePermission(spacePermissionToSave) 
  } 

  return Response.ok().build(); 
}

The script above restricts this call to users within the administrators group. I created a service account that I use for this purpose and added the account/user to my admin group so it can execute the script.

So now all you have to do is make a rest call with user that belongs to the admin group identified in the script using a format of https://<base-url>/rest/scriptrunner/latest/custom/updatePermissions?spaceKey=<Your Space Key>&user=<username of the user granting permission to>&view=<true/false>&createEditPage=<true/false>&removePage=<true/false>&editBlog=<true/false>&createAttachment=<true/false>&removeAttachment=<true/false>&comment=<true/false>&setPagePermissions=<true/false>&exportSpace=<true/false>&removeOwn=<true/false>

So, how do you let your non-admins call this REST endpoint? You can implement that part in many ways, see how I did this in part 2.

Comment
Watch
Like # people like this
1808 views

2 comments

Sven Schatter _Lively Apps_
Sven Schatter _Lively Apps_
Atlassian Partner
January 23, 2020

(EDIT: I actually completely misunderstood your use case! So I removed the first part of my comment.)

I also like your solution since people that already have Script Runner won't need an extra app! :)

Cheers,
Sven

Like # people like this
Luis
Luis October 18, 2021

Excellent Workaround Sir Scott!

Can you help with the appropriate script just to update the space view permissions using the Confluence groups that the space creator belongs too?

Acceptance Criteria: Once a user creates a Confluence space, all groups that the space creator belongs to will be added to space view permissions, except the "confluence-users" group.

I planning on using scriptrunner's space create event listener to trigger the script that will fetch all Confluence groups of the space creator and add them to space view permissions.

Appreciating your insight!

Like

Comment

Log in or Sign up to comment
scott_boisvert

scott_boisvert

Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader

About this author

Senior Systems Integration Engineer

Sierra Space

Thornton, CO

6 accepted answers

93 total posts

View profile
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events