Admins and page restrictions

Alain Beaulieu September 29, 2020

Hi all,

We're thinking of using Confluence pages for HR-related confidential information, especially when onboarding newcomers, like integration plans, competency follow-ups and the like. The HR department is reluctant to let us use Confluence because they say admins can see restricted pages if they want to. According to this Atlassian article, space admins can see the list of restricted pages, but it says they have to remove restrictions to be able to see the page contents. Is that right? And is there a way to make a page completely restricted to the people specified, keeping even admins and gods out?

 

Thanks.

Alain

2 answers

1 accepted

0 votes
Answer accepted
JimmyVanAU
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 29, 2020

Hi Alain,

HR is correct in that by default Confluence administrators can see restricted pages if they want to. Following https://confluence.atlassian.com/confkb/confluence-admin-permission-levels-explained-604209420.html, the out of the box "confluence-administrators" group is a super user group that overrides system permissions and allows members of this group to see all pages.

While this is known, I've worked in many instances which have fixed this. To do this:

  1. Create a new group, for example "application-administrators", "atlassian-administrators" or "wiki-administrators". This can either be in your user directory or local to Confluence.
  2. Add all the appropriate members to the group.
  3. Under "Global Permissions" in Confluence, remove "confluence-administrators" and add your new group, ensuring you assign system admin privileges.

Then Confluence will lock out 'the gods' and behave as described in the article above. I strongly recommend testing this out in a demo environment (to avoid locking yourself out), and giving HR the assurances they're after.

Cheers, Jimmy

Bastian Stehmann
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 29, 2020

You can it like this, but you'll have to keep in mind, that the confluence global admins are able to restore the settings for the confluence-administrators group, so they can undo this configuration and workaround.

Alain Beaulieu October 1, 2020

Thanks for the answers.  Bastian I agree with the confidence level management has to have with admins being diligent professionals, even if they access sensitive information. I haven't had any response from HR management yet so I'll have to wait before I can test this, but hopefully I'll get a green light and move on. I was looking for a solution and the one Jimmy provided would work for me.

Thanks again for your time.

Alain

0 votes
Bastian Stehmann
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 29, 2020

Hi @Alain Beaulieu ,

welcome to the community.

Your HR team is right, Admins can get access to restricted pages.

It is right, that space admins can remove the restrictions. But they have to do explicitly, they can't access a restricted page by accident. Global admins in the confluence-administrators group can even access the pages without removing restrictions.

It is not possible to restrict a page in a way, that not even admins can access this page somehow.

But if the HR department doesn't think, that your admins are doing their job well and respect the privacy of data they are responsible for, there might be another problem.

Fides IT Admin Account February 21, 2023

This is not correct!

* There are two requirements to b e able to change the restrictions:

1) the permission to change restrictions

2) to view rights to the page in order to add me there

 

While the sysadmin can give himself permission to change restrictions he can not add himself to get view rights.

Same is true if view permissions as with and Active Directory Group. 

Only if this is a jira group he can allow himself to view the page

Bastian Stehmann
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
February 21, 2023

Hi @Fides IT Admin Account ,

Everyone in the confluence-administrators group can access every page, even if they are restricted. They won't show up in search results, but if they are directly accessed, ie through page tree, they can be accessed. 

And there, they can modify restrictions. 

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events