Is it possible to nest groups in the internal directory?

William Kokolis August 3, 2015

We have a Confluence deployment that, for the most part, uses AD groups and users.  Recently we've been asked to provide access to our wiki to select vendor/partners.  Within a particular space, we need to have our staff (all members of 'confluence_users') able to view & edit all pages.  The vendor users should only be able to view specific pages (and not edit anything).  The problem that I'm running into is that to pull this off, I have to have my staff set view restrictions on every page so that ourselves & the relevant vendor can view a page but no one else can.

For example,

  • Page 1 - staff + vendor a
  • Page 2 - staff + vendor b
  • Page 3 - staff + vendor a + vendor c
  • Page 4 - staff only

The permissions for page 4 are easy.  The ones for pages 1, 2, and 3, however, are tricky because users forget to do things like add their own group to the view restrictions when they create pages.

We don't want to have to create AD accounts for the vendors, and would rather manage them via local accounts.  As such, I've set up a local group for each vendor, and have placed their respective users into said groups.  In order to simplify the space permissions, I'd like to also add the 'confluence_users' group to the vendor-specific groups.  This doesn't appear possible though, since nesting doesn't seem to be an option for the internal directory.

Short of either adding our vendors to our primary domain (basically a non-starter) or creating an LDAP instance on the wiki server to manage them, is there any (relatively) simple way to accomplish this?

For reference, we're running Confluence 5.5.4 on Linux.

Thanks,

2 answers

0 votes
Milo Test
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 4, 2015

Okay, just to be clear:

  1. On the space, give confluence-users add permissions and the vendors read and comment permissions
  2. On the home page of the space, give confluence-users edit restriction
  3. After creating a page, give the vendor view restriction

 

William Kokolis August 4, 2015

I'm sorry, but that doesn't work. Following the instructions, I end up a page that has view rights restricted to vendor and myself. Other members of confluence-users cannot see the newly-created page. Is this something that requires a newer version than 5.5?

Milo Test
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 4, 2015

In step 3 above, try giving the vendor *edit* restriction (remove view restriction).

0 votes
Milo Test
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 3, 2015

Page-level restrictions do create a lot of busy work, but you can use inheritance to your advantage in this case.

Set the home page of each space to have edit restriction to the group(s). Then when a user creates a page, even if they set a view restriction for a specific user, all the people in all the groups with edit access of the parent page, will have view and edit access of the child page(s).

William Kokolis August 4, 2015

I'm not sure I follow you. The goal is to have all pages visible to confluence-users, with a subset visible to both vendor & confluence-users. In this space, vendor only has view permissions; nothing else. If I follow your instructions, I end up with a page that is hidden from everyone except the creator and the vendor group. No other member of confluence-users can see the page, despite them have edit rights across the board.

Milo Test
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 4, 2015

I'm afraid I assumed you had given confluence-users space permission. Please try that.

William Kokolis August 4, 2015

Which space permissions? Confluence-users currently has view, add pages, add comments, and add attachments. Vendors only has view and add comments.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events