Confluence – thanks to its flexibility and ease-of-use – is a crucial content storage tool for many organizations.
While managing security is often not an issue in small companies, large enterprises need to differentiate access levels and keep sensitive information out of sight. Unfortunately, this is the moment in which Confluence’s built-in security features are often not enough.
Permissions are the basic security tool. Each and every Confluence space has its own set of Permissions that can be assigned to individual users or groups. The permissions are divided into eight categories.
All – Contains View and Delete Own Permissions, with the first granting access to the content in this space and second with the power to delete things created by the user in question.
Pages – Features Add page and Delete page permissions, with the first granting access to page creation, and second allowing to delete any page in the space.
Blog – With Add blog and Delete page permissions, Blog category works in analog to the „Pages” category, but affecting the blog posts only.
Attachments – Contains Add attachment and Delete attachment permission. The first gives permission to upload files to pages and blog posts in the space. Second gives you possibility to delete files uploaded by you.
Users with Add page or Add blog permission can insert existing attached files from the editor and remove the files from the editor, so they can’t be viewed on the page or blog post. They can’t upload a new file or a new version of a file, though.
Comments – Add comments and Delete comments, doing exactly what we can expect from them – allowing the user to respectively add a comment and delete (any!) comment in the space.
Restrictions – Add restrictions and Delete restrictions, allowing the user to respectively add permissions to a page or lift permissions from any page or blog post (though the user needs to have the access to the page first).
Mail – Delete mail permission, allowing to delete mail items archived in the space. A scarcely used feature.
Space – Export space and Admin permissions. Both are extremely dangerous, giving a possibility to either export whole space (all of the content, too!) or administer a space. Do not give these to anyone who’s not 100% trusted, ever.
One more thing about permissions – keep in mind, that these are additive. This means that if a user is being granted permissions as an individual and a member of a group, these permissions will be combined together – e.g. someone with individual permission to View and Delete own, who’s a member of the editors group, permitted to also Add page and Add blog, will have all of these permissions enabled – View, Delete own, Add page and Add blog.
There’s also the Space Admin, who has powers far greater than an ordinary user. These include:
- granting permissions to users and groups (and themselves);
- creating templates;
- changing the space’s look and feel;
- deleting the space;
- manually removing page restrictions (including pages they can’t see);
- managing watchers, to change who is watching a page;
- inspecting permissions to see what users can do in the space (in Data Center hosting).
This pretty much sums up the topic of Permissions in Confluence. Let’s learn about Page Restrictions now.
Page restrictions allow more granular security settings to be enabled. If you’re working on a page that shouldn’t be seen by anybody but your department, you can easily lock it down (including editing rights). What’s important, the restrictions are inherited, so all the child pages will have at least the same level of restrictions.
The restrictions are applied by clicking on a Padlock Icon at the top of the page. Levels of restrictions include who can Edit, or who can View and/or Edit the page. The users or groups are added manually to the list, and then the restrictions are saved.
Keep in mind that restrictions don’t override a person’s space permission. For example, if you say a person ‘can view’ in the restrictions dialog and they don’t have ‘view’ permissions for the space, they won’t be able to see the page.
If you’re completely new to Confluence, this document about managing Page Restrictions can come in handy.
While the restrictions mechanism is easy to understand and quite simple, there are some drawbacks.
Firstly, the need to define the restrictions manually every time is very limiting.
Secondly, there’s no possibility to edit multiple restrictions at once, so the mechanism is rather prone to human errors. These may not cause any harm, but in case of sensitive data the whole thing gets deadly serious.
To tackle this problem, CoreSoft Labs has created the Secure Pages for Confluence App.
Secure Pages lets to automate the content access management process and lifts the responsibility off the content authors’ shoulders. Space administrators can define which pages should be restricted, and if necessary, the restriction templates will be applied by default.
Moreover, the templates can be edited „on the go”, which means that you’ll never have to browse through dozens of pages to correct restrictions in the case when an employee loses access to sensitive data or there are some major changes in the organization’s structure.
The App is available for Confluence Cloud, and Confluence Server. Interested in Secure Pages for Confluence? Try it for free and tell us how do you like it!