Custom administrative privilege separation in Confluence

Hi there,

I need to separate Confluence Administrators privileges from Confluence System Administrators for security reasons.

I've created 'confluence-app-administrators' group and assign appropriate roles of ordinary administrators to it in accordance with Atlassian docs. Now these administrators can create and manage new spaces and do some admin tasks. It's OK.

But there is a problem: How to elegantly grant them access to all existing spaces without adding this group to each space by hands? We have 400+ spaces... Is there some XML or whatewer with default 'hardcoded' group permissions to expand?

Thank you.

2 answers

1 accepted

Accepted Answer
0 votes

I wrote the following helper query (PostgreSQL), that shows what spaces currently don't have the full set of 14 permission types for my group 'confluence-app-administrators':

SELECT row_number() OVER (ORDER BY spacekey) AS "Counter", spacekey AS "Space Key" FROM spaces
WHERE spaceid NOT IN ( -- subtract spaces that have all necessary permission ids from all existing spaces
 SELECT spaceid FROM (
  SELECT spaceid, count(permtype) AS perms FROM spacepermissions
  WHERE spaceid IS NOT NULL AND permgroupname='confluence-app-administrators'
  GROUP BY spaceid
 ) AS ok WHERE ok.perms=14 -- check if all 14 possible permission types are assigned to confluence-app-administrators in particular space
) ORDER BY spacekey ASC

In theory, this query can be used to build fully automated permission propagation. But it is enough for me.

Hi Oleksiy,

Actually the only way that I can think, is through the database. If you have expertise in queries/trigger, you can automate this procedure.

The following query can give us some good information about the permissions that each space has, and what group belong such privilege:

select * from spacepermissions sp inner join spaces sa on sp.spaceid=sa.spaceid;

This is just an idea, not sure how to execute this change. If you'll play with your database, please do in a test enviroment with your data, that way you won't affect your business.

Cheers,

WZ

Hi William,

I would try to avoid direct DB querying. Also because this solution doesn't prevent space administrators to remove mentioned group from space permission list and lose control over the space.

Maybe it is possible to disable some changes in space permission list for non-system admins, as it done with built-in 'confluence-administrators'?

Hey Oleksiy,

From what I could understand, if you not belong to the 'confluence-administrators' you won't be able to touch the space permission.

As far as I know, the privileges that 'confluence-administrators' group has, is inside of our code. That's the key.

Cheers,

WZ

So, the only way to resolve the problem is to periodically update group permissions of all spaces directly in DB. Isn't it?

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Oct 11, 2018 in Confluence

What are your project planning tips?

Hello Community,  Jessica here from the Confluence product marketing team! Today I wanted to get your takes on project planning –– what works, what doesn’t, how do you know if you’re doing it r...

259 views 1 4
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you