I need to separate Confluence Administrators privileges from Confluence System Administrators for security reasons.
I've created 'confluence-app-administrators' group and assign appropriate roles of ordinary administrators to it in accordance with Atlassian docs. Now these administrators can create and manage new spaces and do some admin tasks. It's OK.
But there is a problem: How to elegantly grant them access to all existing spaces without adding this group to each space by hands? We have 400+ spaces... Is there some XML or whatewer with default 'hardcoded' group permissions to expand?
I wrote the following helper query (PostgreSQL), that shows what spaces currently don't have the full set of 14 permission types for my group 'confluence-app-administrators':
SELECT row_number() OVER (ORDER BY spacekey) AS "Counter", spacekey AS "Space Key" FROM spaces WHERE spaceid NOT IN ( -- subtract spaces that have all necessary permission ids from all existing spaces SELECT spaceid FROM ( SELECT spaceid, count(permtype) AS perms FROM spacepermissions WHERE spaceid IS NOT NULL AND permgroupname='confluence-app-administrators' GROUP BY spaceid ) AS ok WHERE ok.perms=14 -- check if all 14 possible permission types are assigned to confluence-app-administrators in particular space ) ORDER BY spacekey ASC
In theory, this query can be used to build fully automated permission propagation. But it is enough for me.
Actually the only way that I can think, is through the database. If you have expertise in queries/trigger, you can automate this procedure.
The following query can give us some good information about the permissions that each space has, and what group belong such privilege:
select * from spacepermissions sp inner join spaces sa on sp.spaceid=sa.spaceid;
This is just an idea, not sure how to execute this change. If you'll play with your database, please do in a test enviroment with your data, that way you won't affect your business.
I would try to avoid direct DB querying. Also because this solution doesn't prevent space administrators to remove mentioned group from space permission list and lose control over the space.
Maybe it is possible to disable some changes in space permission list for non-system admins, as it done with built-in 'confluence-administrators'?
From what I could understand, if you not belong to the 'confluence-administrators' you won't be able to touch the space permission.
As far as I know, the privileges that 'confluence-administrators' group has, is inside of our code. That's the key.
Hello Community, Jessica here from the Confluence product marketing team! Today I wanted to get your takes on project planning –– what works, what doesn’t, how do you know if you’re doing it r...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs