Separate groups for Create Space & Confluence Admin permissions without new users getting Create Space?

I want to grant the Create Space and Confluence Administrator global permissions to separate groups but it seems that when you create a new OnDemand user and check Confluence under Application Access that results in the user being added to all groups assigned a global permission unless the group has the Confluence Administrator permission. JIRA does not have the same problem as I have separate groups for the JIRA Administrators and Create Shared Objects permissions and new users are not automatically added to the latter group. It seems the reason for the difference is Confluence requires "can use" be checked for every group assigned a global permission (see below) but JIRA does not have the equivalent requirement that all groups with a global permission have the JIRA Users permission.

Has anyone seen a ticket on JAC that covers this issue in Confluence (I was surprised I couldn't find one)? Does anyone have a way around this problem (maybe somehow using a browser's developer tools on the Edit Global Permissions page)?

2 answers

1 accepted

0 votes
Accepted answer

Yes Alexy that's what I did but I think it is only a next best option not a full solution. I've actually just found a way to get around the reason for the problem. In Confluence "can use" will be left unchecked for a group being assigned global permissions by making the below request (login handled by CLI) similar to what the UI is doing, assuming the group is not already assigned any global permissions (can be temporarily assigned to another group such as confluence-users to not be lost):

confluence -a renderRequest --requestType GET --request /admin/permissions/doeditglobalpermissions.action --requestParameters "confluence_checkbox_profileattachments_group_<group>=on&confluence_checkbox_updateuserstatus_group_<group>=on&confluence_checkbox_personalspace_group_<group>=on&confluence_checkbox_createspace_group_<group>=on&confluence_checkbox_administrateconfluence_group_<group>=on&groupsToAdd=&usersToAdd=&confirm=Save+all"

Now I can meet the initial goal with this workaround. To grant Create Space and Confluence Administrator global permissions to separate groups, eg confluence-admins and confluence-creators respectively, where a new OnDemand user given Confluence Application Access will not be automatically added to confluence-creators, temporarily assign Confluence Administrator permission to confluence-users and remove any other global permissions from confluence-admins and confluence-creators, then run the following:

confluence -a renderRequest --requestType GET --request /admin/permissions/doeditglobalpermissions.action --requestParameters "confluence_checkbox_administrateconfluence_group_confluence-admins=on&confluence_checkbox_personalspace_group_confluence-creators=on&confluence_checkbox_createspace_group_confluence-creators=on&groupsToAdd=&usersToAdd=&confirm=Save+all"

Technically, the above only needs to be done for confluence-creators since Confluence Administrator permission keeps new users from being added to confluence-admins.

Just remove can use permissions from all groups but one. Add all your administrators to that group. So from the one hand they can use confluence as members of users group, from the other - administrate as members of administration group. If you have some strict security policy- have one group that can use confluence and don't use it in any default or space permission settings

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Feb 06, 2019 in Confluence

Try out the new editing experience

Hi team, I’m Avinoam, a product manager on Confluence Cloud, and today I’m really excited to let the Community know that all customers can now try out the new editing experience and see some of the ...

1,079 views 56 8
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you