Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Change the built in Admin "super-user" account

Miles Hayler
Miles Hayler June 14, 2017

We have recently changed our login directory from one domain to another and want to change the Admin group with the "Special permissions" and admin access everywhere to a group in our new login domain but I can't figure out how this is done.

 

Thanks

Answer
Watch
Like Be the first to like this
2006 views

3 answers

1 vote
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 15, 2017

If you want to use LDAP groups to set permissions that works fine but please include a group called confluence-administrators in the LDAP directory you migrate to. If you cannot get that group created in LDAP, consider making your LDAP user directory "read-only with local groups" so you can add your admins to the confluence-adminstrators group in the Confluence Internal directory. This article explains in more detail: Confluence Admin Permission Levels Explained

"The confluence-administrators group defines a set of "super users" who can access the Administration Console and perform site-wide administration. Members of this group can also see the content of all pages and spaces in the Confluence instance, regardless of space permissions."

 

View More Comments
Miles Hayler
Miles Hayler June 15, 2017

So I can't specify a different group to give the "super user" access to, it has to be called confluence-admins? Any particular reason for the limitation?

If I were to have 2 groups in different LDAP directories both called confluence-admins, how would Confluence handle it?

Like
Bill Bailey
Bill Bailey
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 15, 2017

Yes, that was what I was trying to say. There are two manadatory groups assigments for Confluence: confluence-admins and confluence-users. You cannot rename them. I figured this out the hard way.

Like
Miles Hayler
Miles Hayler June 15, 2017

It just seems so unneccessarily limiting. This doesn't apply in JIRA.

Like
Miles Hayler
Miles Hayler June 19, 2017

Ann, would having a groups called confluence-admins on two LDAP directories simulatneously cause any issues?

 

Thanks

Like
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 20, 2017

Please read this documentation about the effect of the directory order and the aggregating group memberships setting:

Effect of Directory Order

Please note that the doc says:

"Before you move an external directory above Confluence's internal directory, make sure you (and your admin users) are members of a group called confluence-administrators in your external directory or you may accidentally lock yourself out of the Confluence admin console."

Like
Miles Hayler
Miles Hayler June 20, 2017

So my best bet is probably to:

1) Ensure I have a working admin account on the Confluence Internal directory.

2) Rename the group on the LDAP Directory we want to decommission, then sync.

3) Create the new group on the new LDAP Directory and then sync that?

Like
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 20, 2017

For 1:

  • Only if you are using JIRA for Confluence user management, otherwise make sure you have a user in the confluence-administrators group in the Confluence internal directory

For 2:

For 3:

  • Yes, if you are using LDAP groups and not the "Read-only with local groups" option.

For the future: I look forward to any follow-up questions.

 

Like
Miles Hayler
Miles Hayler June 20, 2017

Sorry, that was a mistake in 1), I meant Confluence local user.

 

I'll let you know how I get on.

Like
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 20, 2017

Awesome, thanks!

Like
Miles Hayler
Miles Hayler June 21, 2017

Looks to have all gone fine. Thanks for your help.

As a suggestion, can we have the ability to use any group for admin in future, like we can in Jira. This has made a right mess of our AD naming convention!

Like
Reply
0 votes
Thomas Schlegel
Thomas Schlegel
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
June 15, 2017

Hi Miles,

you configure the basic Jira-admin permissions here:

http://<your-jira-url>/secure/admin/GlobalPermissions!default.jspa

There you can add the admin permissions to new groups. But be careful to not lose your own admin permission by doing this!

Reply
0 votes
Bill Bailey
Bill Bailey
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 14, 2017

I am assuming you are referring to LDAP? As long as whatever group your admins are in, are also members of confluence-admins, you are good to go.

View More Comments
Miles Hayler
Miles Hayler June 14, 2017

Thanks for the reply. confluence-admins is on a different LDAP domain, the one we're trying to decommission. 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events