It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Why would a full admin in confluence be unable to see a page due to a restriction setting?

A few of us have full administrative access/rights to Confluence, yet someone was able to restrict a page that required permission to access. We cannot understand how that happened when we are supposed to be able to see all content no matter what, or at least that is what I understood on the site

The Confluence permission scheme allows the following levels of site administrator permissions:

Super user – A 'super user' belongs to the confluence-administrators group, has full administrative access to Confluence, and can see all the content.

 

Is there a setting we overlooked that someone can help me with to prevent this from happening, or is it supposed to be possible for someone to restrict a page even to full admins? 

Thank you for any help you can provide! : ) 

2 answers

1 accepted

2 votes
Answer accepted

The doc is misleading.  Not quite "wrong", but the section you've quoted is misleading. 

A user with admin rights has, well, admin rights.  Not the ability to see and do anything.  They can grant themselves the ability to see and do anything, but the admin right does not grant them any "browse" rights automatically.  They still have to be given those rights in the space permissions.  (And of course, they can see and edit the space permissions, as it's their job)

Interesting, thank you for clearing that up Nic and so quickly! : )  So, there's no way to prevent that type of restriction from the Admin group? Seems a little risky, when we also need to ensure content is following proper protocol, and what happens if that person up and leaves that has the restrictions set on that page? 

I wish there was an over-riding setting that we could prevent that from happening. Perhaps Atlassian will hear me. : ) 

 

No, the point of the administrator's job is to administrate the system.  If they're restricted from getting to parts of the system, they can't do that job.

If an a person leaves, that's exactly the case where you need your system admins to have admin rights - they can find and change the restrictions left behind.

This is not something that you'll find in any software.  Your "root" admins can always do everything, one way or another.  You have to trust your admins.

Like # people like this
James Dellow Community Leader Mar 22, 2017

In Confluence Cloud, the "super user" System Administrator global permission is only available to Atlassian staff who administer your Confluence site. The highest level a user can be granted is Confluence Administrator, which doesn't do quite the same thing.

James Dellow Community Leader Mar 22, 2017

BTW you can limit who can restrict pages through the Space Permissions.

True, although the system admin has all the same permission and restrictions related rights.  The system admin stuff is about looking after the server side (Which Cloud admins don't need)

And, of course, both types of admin can see and change page restrictions, irrespective of space permissions, because that's an admin right.

I thought we could set a View Restriction and ONLY those people could see the page exists and the content of the page - but if Admin was not on the list they could not see the content of the page

But the Admin could remove the Restriction as part of managing the stuff ups people make

That's why I said the docs are misleading - they don't say that, but it is right.  The admins can't see the content of the restricted page (unless they are included in the restriction).  But they can see that the page is there, and change the restrictions.

Yeah but as the System Admin, I should not have to go around hitting a lot of buttons to open doors.

Jumping on with an additional question. 

Nic, you said that admins can see that the page is there, and change the restrictions. 

I was able to see a restricted page, but I did not see any way that I can change the restrictions. I had to request access and another user with permissions for that page was able to grant them to me. 

What are the steps to remove/change those restrictions? 

 

Thanks! 

James Dellow Community Leader May 18, 2017

It takes a couple of steps. From the "Restricted Pages" tab (Space Tools > Permissions > Restricted Pages") click on either of the unlocked padlock icons (it doesn't matter which one). You will then be taken to the Page Information page for the restricted page. There should be a "Page Permissions" panel - click the unlocked padlock icon for the page permission you want to remove (if view and edit permissions are set, this time it does matter which one you select!).

This doesn't work for me.  I'm on Cloud, have all Admin permissions.  When I click any of the padlocks on the restricted page, I see the same "You can't access this page" message.  I don't see a way to find the info or follow the rest of your steps.

As it stands, we have several "hidden" pages where users restricted them and left the company.  Even our admins can't get to those pages.  Total loss of data.

All due respect to the nuanced interpretation of "admin" to be about back-end and whatnot.  Frankly, that's a cop-out for missing functionality that is 100% required to effectively administer Confluence.

Like # people like this

It's the same answer as given before.  Admin rights mean admin, not can do everything and bypass all the other privileges.

I get it, I really do.  So we could come up with a different term so as to avoid an ideological battle over the essence of admin-hood.  How about "The role that can make pages viewable to the organization after an employee locks them down and then leaves the company"?

As mentioned already, admins can remove restrictions.

For many of the pages in this space, the steps above work perfectly.  I can get to the Information screen and update permissions so that I can see it.  For some pages, though, when I click the padlock on the Restricted Pages screen, I just get this message:

You don't have permission to view this page

This is because it's inheriting restrictions from a parent page. A space admin or the person who shared this page may be able to give you access.

 

The problem is that I have no idea where this page sits in our 10+ level-deep hierarchy, so I can't trace back to see where the permissions originate.  I am a space admin, so I can see any unrestricted page, but somewhere there is a restricted page with sub-pages that I can't get to.  

Any suggestions?

Space tools -> Permissions -> Restricted pages tab will list all the restricted pages out, and let you remove them if necessary

(Odd place for it, I instinctively look for it under "content tools", even after all this time)

James Dellow Community Leader Mar 06, 2018

Even on the server version, page restrictions can be frustrating to deal with and I would always advise that people avoid using them unless you have a specific and deliberate purpose in mind (versus using them in an ad hoc fashion).

In the situation Joe is describing, where you as admin don't have access to a page, the child pages that inherit those permissions won't appear in the list of restricted page in Space Admin - it will only show the parent page and the page information for that parent page will only show the immediate child pages.

Personally, I would contact Atlassian Support for help in this situation.

The fact that you actually can MAKE CHANGES TO A SPACE THAT RESTRICTS YOU FROM SEEING - is your Admin Right privileges even though you were restricted initially.

While the same privilege is not available for non-admin users - they may not be able to see contents of restricted space AND also not able to do anything about it but ask an admin user :-).

Thank god that atleast SPACES are not HIDDEN :p - that would be a different situation altogether haha.

James Dellow Community Leader Mar 06, 2018

Actually in the early days of cloud I recall that you could... Luckily you can now find them through the Space Permissions overview in Confluence Admin.

I have the same problem as @Joe_Cross, even though @Nic_Brough__Adaptavist_ insists its possible to change on the Space Settings page.

 

When I go to Space Settings -> Permissions tab -> Restricted Pages tab, I DO see all the restricted pages listed there. However, when I check the open padlock on the right side on any page that I do not have permission for, it does not let me continue and asks me to request access. I created this Atlassian account, I am in every single admin group.

 

How can I remove restrictions to these pages or at least give myself access?!

Like # people like this

The answers in the thread are confusing @basir. If you are the Space admin and/or an admin, you need to remove all the restrictions for that page. That way you will be able to access. 

By removing all the restrictions on a particular page for a space in which I am an admin (and I am also a site admin), I could *finally* have access to the page. 

Thanks for the reply @Juan Porta. Unfortunately, if I understand correctly, the way to remove restrictions is to click the padlock. When I do so, I get a request access page.

I've begun to think this is a bug. To add even more permissions to make extra sure, I added myself as an individual with full permissions on the Space Settings page. Now, I can successfully click the padlock on SOME pages, and other pages still request access.

As a side note, this is a very poor method to do this. As pages can have highly sensitive information, and doing it this way opens them up to everyone. Albeit for a short time between removing the restrictions and adding them again with yourself included.

Like # people like this

CTRL+click on every padlock until there's no padlock left for that particular page. If you're a space admin that will let you access the page and re-set the restrictions. 

I figured it out. It's working now.

 

 

 

 

 

 

 

 

Okay, I won't be that guy who says it's fixed and not tell you what he did to fix it.

Here's what I found, I can't explain why, but it works.

There is apparently a difference between the permissions of users in the local confluence-admins group vs an AD synced group with the same exact permissions.

For example, we have an admin group that i'm part of that has Personal Space, Create Space(s), Confluence Administrator, System Administrator permissions. 

The local confluence-admins group has the same permissions. 

If i'm logged in with my account, if I click on the padlock, I get taken to a page that says I must request permission to view this page. 

If i log in with the admin account we have in the local confluence-admins group and do the same thing, it take me to the page info and I can remove restrictions.

Another confluence admin and myself have been looking at it for the last 10 minutes speechless trying to figure out why in the world this works. 

 

Hope that helps some of you.

Hi @Adaptavist_Nic

a point here that got seemingly lost and not answered...how can you unlock a parent page if you dont know what is the parent page?

I have a space with thousands of pages in it, in various hierarchies and many of the hierarchies have some page restriction put on them.  I'm a space and global admin but my name isn't listed in the page restrictions (which is fine, I dont need to see everything in the world).  I got a trouble ticket filed to me where someone says "I cant access this page I created, someone did something...can you open it up?".  I was able to find the page in the restrictions and broke the locks on it...but it still says "You don't have access to view this page".  This clearly means some PARENT page to the target one also needs breaking open...but which one??  Which one of the hundreds of pages with restrictions is the parent page to break open?  How to determine the parent hierarchy of a page to which I dont have access?  I've sent a mail to the team using the space and nobody replied that they could get to the target page either (if someone could access they could click that lock symbol and tell me the parentage).

Ideas??

that is an intriguing question ... the theory says if you can see the child, by definition you must be able to see the parent ... because to get to the child you have to come down the hierarchy ... You should be able to see  the page structure in teh left hand navigation panel, or via the browse>Pages>Tree view or I would think you can get to it via the "snail trail" links at the top of the page, or have a look at the Page Information under the Ellipsis three dot icon which gives clues about parent restrictions being inherited.

Yep, pretty much what Rodney said!

But I can't see the child...I see it in the Restrictions tab in the space admin tools which is how I got rid of the locks on the child page...I still have no idea what parent it's under, however.  Theoretically someone out there might be able to but essentially I'm at the mercy of a "help me" email to a team of hundreds?  Not much of an admin when you gotta go ask up and down the isles for help from the members.  Maybe a SQL direct query to find the parent page?  

Perhaps I am not fully understanding, but it seems someone must have sent you a link to the page that they can't see ... so can they see the parent? or the grandparent ....? they should surely be able to give you a link to something.

 

Do you not have snail trail links above the page title?

And surely the Page Information shows you the parent restrictions?

someone sent me a mail that essentially said "I had a page called <something> now I cant get to it...I know the URL cause I mailed it to some folks so its in my email history...I click it now and I'm blocked out, please help"

so I click the link and yep, I cant get to it either...nobody I can find can now get to it, something has changed, nobody knows what, I have 5,000 folks I support on my confluence instance across 5 continents so its hard to figure out who did what exactly...all I know is I cant get to it.  I found the page in the restrictions tab under Space Tools-> Permissions-> Restricted pages so I know the page title, I just have no way to find the parent.  I cant view the page to see "page information" or "breadcrumbs" or anything like that.

note: i'm on local server confluence, not cloud (in case that lets me do some cool SQL thing directly to get my answer, I'm game)

James Dellow Community Leader Feb 11, 2019

Yes, it is a problem if you are only shown a page that has inherited permissions.

However, since you are on server, are you also a member of the confluence-administrators group? (not the global permissions)

That should allow you to see the page, regardless of the page permissions.

@Matthew Page

So here is an option for you, it’s what I did with a locked out group of pages, I think this will help you. It’s complicated, but worked.

Open the page that is the child page that is restricted that you have the link to. Then RIGHT click on that page and select ‘View page source’ from the pop up menu.

Scroll down just a little until you start seeing <meta name="ajs-page-id"….etc

you will see something to this effect:

<meta name="ajs-parent-page-id" content="273941287">

You can open a page via its page ID using the following format:

https://confluence.yourcustomnamehere.com/pages/viewinfo.action?pageId=273941287

(Be sure and keep everything before the .com to whatever your confluence is set at.

Now that you have the parent page located, you still can’t see the name, so now just do the same thing, RIGHT click and View page source,

Again scroll down and this time look for

<meta name="ajs-page-title" content="this will be the page name">

Now you can go back to your restricted pages list and find that title and unlock it. I hope that works for you. I know how frustrating this can be.

@Erica Cunningham OMG, it works.  Seems a security issue to show the page source of a page you're blocked from seeing and it'll tell you the parent ID and even the parent name (but not complaining, it's saving me)...like I found my page in question has :

<meta name="ajs-parent-page-title" content="Meeting Notes">
<meta name="ajs-parent-page-id" content="5549921">

I went to that one and it's under another which is under another and was able to map out the chain and uncover each restriction to determine how we've got ourselves into some sort of visibility black hole.

Thanks Erica, saved the day.

Like James Dellow likes this

I am as Admin as you can possibly get on our Confluence Server 6.13.3

To access a restricted page, I have to open every padlock link in a separate tab and by the end, I have access to the page in one of my open tabs.

This is bug, plain and simple.

 

UPDATE: Doing ^ removes all restrictions on the page for all users. So if your goal is merely to tweak the restrictions, perhaps leaving some as-is, make a note of what is there before you click on all the links. You will have to recreate any restrictions from scratch.

These 2 tricks works:

1. CTRL+click on every padlock until there's no padlock left for that particular page (as system admin). Thanks you @Juan Porta.

2. Click on every padlock of a restricted page until you get access to it (as system admin). Thanks you @Lee_Page.

Everything worked fine for us until we changed the global permissions. The special group confluence-administrators was kept, but we changed the AD group which grants the system admin permissions.

A user in the group confluence-administrators could still access any restricted page and be able to change its restrictions.

However a user in the new AD group which grants the system admin permissions got this error: You don't have permission to view this page.

Indeed this is bug, plain and simple.

I have the same issue as Joe Cross but solved it by logging in (via the user admin page) as the user who put the page restrictions and then left the organization. That way I was able to see the page hierarchy and change the restrictions.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Posted in Confluence

How is your team having fun and bonding, remotely, utilizing Confluence?

Thanks everyone for answering last week’s question. The winner of the random drawing from those who commented is: @LarryBrock I’ll contact you separately with your prize details. This wee...

306 views 9 7
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you