Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Custom administrative privilege separation in Confluence

Oleksiy Brushkovskyy
Oleksiy Brushkovskyy July 2, 2013

Hi there,

I need to separate Confluence Administrators privileges from Confluence System Administrators for security reasons.

I've created 'confluence-app-administrators' group and assign appropriate roles of ordinary administrators to it in accordance with Atlassian docs. Now these administrators can create and manage new spaces and do some admin tasks. It's OK.

But there is a problem: How to elegantly grant them access to all existing spaces without adding this group to each space by hands? We have 400+ spaces... Is there some XML or whatewer with default 'hardcoded' group permissions to expand?

Thank you.

Answer
Watch
Like Be the first to like this
289 views

2 answers

1 accepted

0 votes
Answer accepted
Oleksiy Brushkovskyy
Oleksiy Brushkovskyy July 4, 2013

I wrote the following helper query (PostgreSQL), that shows what spaces currently don't have the full set of 14 permission types for my group 'confluence-app-administrators':

SELECT row_number() OVER (ORDER BY spacekey) AS "Counter", spacekey AS "Space Key" FROM spaces
WHERE spaceid NOT IN ( -- subtract spaces that have all necessary permission ids from all existing spaces
 SELECT spaceid FROM (
  SELECT spaceid, count(permtype) AS perms FROM spacepermissions
  WHERE spaceid IS NOT NULL AND permgroupname='confluence-app-administrators'
  GROUP BY spaceid
 ) AS ok WHERE ok.perms=14 -- check if all 14 possible permission types are assigned to confluence-app-administrators in particular space
) ORDER BY spacekey ASC

In theory, this query can be used to build fully automated permission propagation. But it is enough for me.

Reply
0 votes
William Zanchet
William Zanchet [Atlassian]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 2, 2013

Hi Oleksiy,

Actually the only way that I can think, is through the database. If you have expertise in queries/trigger, you can automate this procedure.

The following query can give us some good information about the permissions that each space has, and what group belong such privilege:

select * from spacepermissions sp inner join spaces sa on sp.spaceid=sa.spaceid;

This is just an idea, not sure how to execute this change. If you'll play with your database, please do in a test enviroment with your data, that way you won't affect your business.

Cheers,

WZ

View More Comments
Oleksiy Brushkovskyy
Oleksiy Brushkovskyy July 2, 2013

Hi William,

I would try to avoid direct DB querying. Also because this solution doesn't prevent space administrators to remove mentioned group from space permission list and lose control over the space.

Maybe it is possible to disable some changes in space permission list for non-system admins, as it done with built-in 'confluence-administrators'?

Like
William Zanchet
William Zanchet [Atlassian]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 2, 2013

Hey Oleksiy,

From what I could understand, if you not belong to the 'confluence-administrators' you won't be able to touch the space permission.

As far as I know, the privileges that 'confluence-administrators' group has, is inside of our code. That's the key.

Cheers,

WZ

Like
Oleksiy Brushkovskyy
Oleksiy Brushkovskyy July 2, 2013

So, the only way to resolve the problem is to periodically update group permissions of all spaces directly in DB. Isn't it?

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events