Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Groups
Explore all groups
Community resources

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Sign up for free Log in
Atlassian Community Hero Image Collage
  • Community
  • Products
  • Confluence
  • Questions
  • I have a 50 user license for Confluence and have 200 users in my active directory. How can I set up Confluence to allow 50 named users with login access to Confluence and the remaining users "view only" access?

I have a 50 user license for Confluence and have 200 users in my active directory. How can I set up Confluence to allow 50 named users with login access to Confluence and the remaining users "view only" access?

Darren Wright6
Darren Wright Jan 22, 2013

I have a 50 user license for Confluence and have 200 users in my active directory.

How can I set up Confluence to allow 50 named users with login access to Confluence and the remaining users "view only" access?

Answer
Watch
Like Kirk Fahlberg likes this

2 answers

1 accepted

5 votes
Answer accepted
Robert Chang
Robert Chang Atlassian Team Jan 23, 2013

Hey Darren,

As William has mentioned, Confluence controls its license based on Global Permissions. You can indeed place your 50 users into a certain group, and adding that group to Confluence Global Permissions. The members of any group that has Global Permissions to use Confluence will count against the license.

You also mentioned wanting to give the rest of your LDAP users (that do not have accounts in Confluence) read-only access to Confluence content. To this end, you can enable Anonymous access in Global Permissions, then go to the Space Admin console of individual spaces and grant anonymous users View access only. Please note that both Global and Space-level permissions are required for anonymous access; merely allowing anonymous access at the Spacel level is insufficient.

One major caveat to keep in mind with this setup is that anyone without an account will be able to see your Confluence content, provided that they can reach your Confluence server. In other words, due to the nature of anonymous access, Confluence will not distinguish whether the visitor exists in your LDAP or not.

-Robert

Reply
1 vote
William Zanchet
William Zanchet [Atlassian] Jan 22, 2013

Hi Darren,

Confluence's license count is based on Global Permission. Users will count towards the license in the following ways:

  • If the user belongs in a group that has global permissions to use Confluence
  • If the user is individually granted global permissions to use Confluence


Within the UI, you can get a listing of users that are assigned Global Permissions by navigating to Confluence Admin > Global Permissions. From there, you can see a list of users and groups that will count against your license. You can click on each group individually to reveal their members.

Also, this query will return users that belong in a group which has global permissions:

SELECT DISTINCT u.lower_user_name
FROM cwd_user u
JOIN cwd_membership m ON u.id = child_user_id
JOIN cwd_group g ON m.parent_id = g.id
JOIN spacepermissions sp ON g.group_name = sp.permgroupname
WHERE permtype='USECONFLUENCE' AND u.active = 'T';

If using LDAP, you can use filters to restrict the scope of the LDAP search. The best option would be to use filters based on Group Memberships. Example:

(&(objectCategory=Person)(sAMAccountName=*)(memberOf=CN=jira-users,OU=Sydney,DC=example,DC=com))

To get your user count down, the following guidelines may be helpful:

  • If you have more than one directory, ensure that the same user does not exist in multiple directories.
  • We recommend that you allow only particular groups to log in to each application, rather than entire directories.
  • Note that a mapped application can 'see' all users in a directory, even if not all of them can log in to the application. For example, a Human Resources application might be mapped to your entire Active Directory server, but only the HR group is allowed to log in to the application.

I hope this helps.

Cheers,

WZ

View More Comments
Darren Wright6
Darren Wright Jan 22, 2013

Thanks William.

If I were to create an active directory group (ie "Confluence_Users") and add the 50 named users to this AD group and then add this group to the Global Permissions would this work ?

Regards

Darren

Like
Reply

Suggest an answer

Log in or Sign up to answer
This widget could not be displayed.
This widget could not be displayed.
Community showcase
Andy Makar
Andy Makar
Published in Confluence

6 Awesome Ways to Apply Trello, JIRA and Confluence to your Project

I attended  Atlassian Summit 2019  and learned a lot from the presenters, attendees and knowledgeable Atlassian product managers. The presentations I attended focused on applying Agile, pla...

2,531 views 11 28
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you