What, exactly, is Confluence's permission inheritance policy?

Hi James,

in Confluence there are two concepts of security on different levels. 

Concept one relies on permissions and it is applied to the lower levels system and space. Permissions always add up. So on system level when a user is in group A that has permission to login and in group B that has permission for administration the resulting permission set is both. Same principle on space level. When group A is allowed to edit pages and group B is allowed to delete attachments any user who is member of both groups is allowed to do both actions.

In the most top level (pages) there is another concept that relies on restrictions. Restrictions also add up but in a negative way when you think in the terms of permissions. With page restrictions you basically revoke all permissions which are inherited from the space (or the parent page) and then you can choose a set of users or groups which are allowed to read or modify the page. This restrictions apply to the page where the restriction is set and to all subpages. So the subpages inherit a reduced set of permission if someone wants to use the term permissions here. When you set up restrictions on a subpage you can only narrow it down to a smaller group of people. So when you have three pages. Let’s call it grandpa, father and son. Grandpa inherits it’s permissions from the space and adds restrictions that only user A and user B can read it then this is also applied to father and son. When father has restrictions that only user A and C can read then this page and all subpages (son, daughter, grandson, ...) will result in only user A can read as user C is already locked out by grandpa.

I hope this explains the terms permissions, restrictions and inheritance a bit. Don’t ask me what happens with cousin Al. https://www.urbandictionary.com/define.php?term=Cousin%20Al&amp=true&defid=14594355

Confluence is using 3 levels of permissions, global permissions (the "can use" permission), space permissions which allows you to control what groups and users can do in a space, and then you have page restrictions. And yes, the edit page restriction is not inherited by child pages, only view restrictions are.

If you have multiple teams on the same instance you can control their access to a space by setting the space permission to only allow team a to access it, and then restrict specific pages further if needed by using page restrictions.

Well wouldn't setting view permissions on a page tree accomplish this, keeping content private except for the designated few?