It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Custom administrative privilege separation in Confluence

Oleksiy Brushkovskyy Jul 02, 2013

Hi there,

I need to separate Confluence Administrators privileges from Confluence System Administrators for security reasons.

I've created 'confluence-app-administrators' group and assign appropriate roles of ordinary administrators to it in accordance with Atlassian docs. Now these administrators can create and manage new spaces and do some admin tasks. It's OK.

But there is a problem: How to elegantly grant them access to all existing spaces without adding this group to each space by hands? We have 400+ spaces... Is there some XML or whatewer with default 'hardcoded' group permissions to expand?

Thank you.

2 answers

1 accepted

0 votes
Answer accepted
Oleksiy Brushkovskyy Jul 04, 2013

I wrote the following helper query (PostgreSQL), that shows what spaces currently don't have the full set of 14 permission types for my group 'confluence-app-administrators':

SELECT row_number() OVER (ORDER BY spacekey) AS "Counter", spacekey AS "Space Key" FROM spaces
WHERE spaceid NOT IN ( -- subtract spaces that have all necessary permission ids from all existing spaces
 SELECT spaceid FROM (
  SELECT spaceid, count(permtype) AS perms FROM spacepermissions
  WHERE spaceid IS NOT NULL AND permgroupname='confluence-app-administrators'
  GROUP BY spaceid
 ) AS ok WHERE ok.perms=14 -- check if all 14 possible permission types are assigned to confluence-app-administrators in particular space
) ORDER BY spacekey ASC

In theory, this query can be used to build fully automated permission propagation. But it is enough for me.

0 votes

Hi Oleksiy,

Actually the only way that I can think, is through the database. If you have expertise in queries/trigger, you can automate this procedure.

The following query can give us some good information about the permissions that each space has, and what group belong such privilege:

select * from spacepermissions sp inner join spaces sa on sp.spaceid=sa.spaceid;

This is just an idea, not sure how to execute this change. If you'll play with your database, please do in a test enviroment with your data, that way you won't affect your business.

Cheers,

WZ

Oleksiy Brushkovskyy Jul 02, 2013

Hi William,

I would try to avoid direct DB querying. Also because this solution doesn't prevent space administrators to remove mentioned group from space permission list and lose control over the space.

Maybe it is possible to disable some changes in space permission list for non-system admins, as it done with built-in 'confluence-administrators'?

Hey Oleksiy,

From what I could understand, if you not belong to the 'confluence-administrators' you won't be able to touch the space permission.

As far as I know, the privileges that 'confluence-administrators' group has, is inside of our code. That's the key.

Cheers,

WZ

Oleksiy Brushkovskyy Jul 02, 2013

So, the only way to resolve the problem is to periodically update group permissions of all spaces directly in DB. Isn't it?

Suggest an answer

Log in or Sign up to answer
This widget could not be displayed.
This widget could not be displayed.
Community showcase
Published in Confluence

6 Awesome Ways to Apply Trello, JIRA and Confluence to your Project

I attended  Atlassian Summit 2019  and learned a lot from the presenters, attendees and knowledgeable Atlassian product managers. The presentations I attended focused on applying Agile, pla...

1,226 views 7 18
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you