Space Access - Best Practise

Panagiotis Annis November 29, 2020

Hello,

I wanted to start a discussion regarding the confluence spaces permissions and more specifically I would like to change the way that my company granting access to users.

Up until now, the previous Atlassian administrators used to grant access to individual users and not to groups. This is something not manageable and maintainable. 

From your experience, what is the best way to change this and smoothly change the access from individual users to groups?

Thank you.

2 comments

Yury Lubanets November 30, 2020

Hi @Panagiotis Annis 

In my view, the best way is to communicate with the owner of the space. Just explain what should be done, why it's better than the existing approach, and find a group or some groups containing most of the users. In some cases, a new group should be created for that purpose.

But I believe it's impossible not to use individual access at all. Sometimes it's the only way to achieve necessary goals.

Thomas Bowskill
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 30, 2020

Hi @Panagiotis Annis 

I definitely agree with you that Group-based access is the best way to go -- individual user access can get really tedious. 

Your best bet -- but this requires effort -- is to get integrations in place with your organisation's user-directory. This way new users can be automatically created based on how they have been set up. E.g. on my side, I have Active Directory and our Infrastructure team add people to Organisation units (OUs) that are used to represent the different functions / teams people have / do. These translate to Confluence groups, which reduces the individual admin.

Second to this, the question to ask is how much of the admin do you wish to delegate? Do you have spaces in Confluence that you can give other users Admin permissions for? That way they can control the access within their own spaces, rather than have to go to a central team (that of course will need to be tailored to your organisation's stance on how access should be controlled). This will likely lead to individuals being granted access, as Groups are really only a thing the site-wide admins get to interact with. 

As @Yury Lubanets mentioned: you're not likely to fully move away fully from individual-based access, as there will be edge cases. But by having some decent groups that represent functions,  a good naming convention and ideally some central automation of this / re-use of existing structures from something like Active Directory, you could save time. 

It's worth a chat with your Infrastructure team to understand if a User Directory integration is possible, and if so / it is already in place, whether they have groups for users already -- piggyback off what your company does in the User Directory :)

 

Also worth reading is the Permissions best practices article.

 

Hope this help you!

Panagiotis Annis November 30, 2020

Hello both,

Thank you very much for your reply.

All that you suggest are very helpful. 

I am not looking to completely remove access per individual cause in some cases this in to possible. I am trying to make it a little bit more manageable. 

Currently we are not willing to delegate admin work to Spaces administrators cause we want to create a framework and train our users on what they can do as space administrators first. 

We have already synced MS AD with our Atlassian products, so yes we can create the groups there and add the users to those groups. 

I think that I will first evaluate the groups we have in place and create those that are missing, probably per team or something like that and based on the owners feedback about the spaces I will grant group-based access to each space. 

Thank you!

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events