lock down attachments

Hi Bruce,

There are 2 types of admin: Confluence admins, who administer the ins and outs of Confluence, and site admins, who administer all of your Atlassian products and, most importantly for your question, deal with user management.  You can also have, for example, JIRA admins who administer JIRA but not Confluence.  But site admins are the only ones with user management privileges for your Atlassian instance, no matter what Atlassian products you have.

Confluence admins and site admins are both members of the admin group.  Site admins are also members of the site-admin group.  Only members of the site-admin group can access user management. (The reason for explaining this will become clearer later on.)

By default, every new space gives standard view and edit privileges to the confluence-users group (the default group that every user is automatically put into when their Confluence account is created) and space admin privileges to the admin group.

To resolve your problem:

1. Create a group that will be allowed to access your secure space.
2. Create your secure space.
3. Remove the confluence-users group from the secure space.
4. Add your secure group to the space.
5. Add 1 or more individuals to the space with admin privileges for that space (or create a secure admin group and give that group admin privileges for that space if you'd rather do it that way)
6. Remove the admin group privileges from the space.

This will allow only members of the secure group to view the space, and only the selected people (or admin group) to whom you've given admin privileges to administer the space.

This is where you'll have a problem: Site administrators won't be able to access the space through normal methods, i.e. they won't be able to see it in the space directory, and if they follow a link to it they'll be blocked from viewing it.  But site administrators can go into user management and log in as any user they want.  This is to allow them to trouble shoot problems, or - a very common use - remove permissions from spaces and pages that have been applied by users who've left.  They can also see and manage permissions for all spaces from a central console.  This is absolutely standard, normal admin functionality for an enterprise application.  The site admins should be people with high levels of infosec knowledge, and very trustworthy.  Otherwise, why are they allowed to have that level of power?  You probably only have a very small number of site-admins, and if they're part of your IT team they can already access everyone's email, computers, shared drives and so on. Realistically, it's not possible to create a space that a site-admin can't find some way of getting into if they really wanted, because if necessary they could contact Atlassian and ask them to amend the permissions.  But that's their job

If you set a parent page to have certain people in the Page View Restrictions but exclude the Space Admin person, I am almost 100% certain that even the admin person can't see the content - they might be able to see the page exists but not the actual page.It is simple to check on a test page in your space. Let me know if my understanding is wrong.

I should have been more specific, the challenge is that the Confluence Admin still has Super User rights to view anything in Confluence. There seems to be no way of granting of admin rights that would be granular enough to flexibly disallow the Confluence Admin from viewing a secure Space.

You can set space permissions that will apply to the whole space, and/or you can set specific page restrictions that will only apply to one page.  Page restrictions include the attachments, so if (for example) you created an "HR Group" of users, and only gave that Group view permissions to a page, only they could see the page and attachments.  You can read more about page restrictions here.