How to set different different permissions within a large organisation easily?

We use a plugin called „Custom Space User Management (CSUM)“. It does two things. First it helps us to keep naming conventions for groups. Second it moves user management to the spaces. So space administrators can add or remove (existing) users from their spaces. 

Our naming convention is as follows:

For system access we have three groups

__conf-admin, __conf-user and __conf-user-ext. These groups decide whether a uses can login or not (member of __conf-user or __conf-user-ext). The difference is only if a user is an internal employee or an external partner. Users in __conf-admin have administrativ rights on system level. All (except a hand full of test users) user accounts actually are imported via LDAP. So we do not have to create users manually. In this level the group names start with double underscores. 

Then we have a second level. The space users. Each space has at least two groups starting with one underscore followed by the space key and closed by the “role” users have in this space. So we have a group _xxx-sa for space administrators and a group _xxx-se for space editors. Optionally there can be more groups like _xxx-manager or _xxx-finance. These additional groups are used for page restrictions only. The permission scheme of each space looks completely identical _xxx-se can read, write, delete stuff. _xxx-sa can the same as _xxx-se plus admin and export. All other (optional) groups can just read. Now that we have our groups we put users to these groups. At least one administrator (better two for redundancy) and many editors. This works quiet well for us. Then we train our space administrators how to add and remove users from their space using CSUM. As a system admin I only need to get involved when a user without a valid license should be added to one of the spaces. Then I just put this user into one of the __conf-xx groups. Done. 

CSUM ensures that the naming convention is kept and that space administrators can only modify groups that belong to their spaces. 

When you use Jira and Confluence together you can do it even better. Attach Jira to your LDAP to retrieve all user accounts. Then attach Confluence to the Jira embedded CROWD server. Now you have a common user base for both systems. With CSUM you can manage all groups in Confluence but use them in Jira also. So you can use _xxx-se in a Jira project put it in the role of a project user. When you stick to the principle one space one project, user administration works like a charm. 

Hi @[deleted] 

welcome to this wonderful community!

Are you using cloud or server version of confluence? If you're running on-prem it's pretty easy to give different access options.

Please have a look on global permission and also space permissions. When you add all your team members to one group (e.g. confluence-users) you can give them writing permissions for spaces or even just for some sites.

For the rest of your company you can open your system for anonymous access (see global permission again).

Hope this could help you! Feel free to ask for more help.