Confluence Docs 2.10 : Security and Permissions
This page last changed on Sep 20, 2007 by smaddox.
Users and GroupsUsers are individuals who sign on to Confluence. Most of the time a user represents a human being, but you could also register accounts for programmatic agents accessing the site. For example, a robot sitting in a chat-room and relaying the logs to a Confluence page via the SOAP API might have its own user account. New users can be created by a site administrator through the "Manage Users" option in the Administration pages, or they can sign themselves up for an account using the signup form. If you do not want users signing up for their own accounts, you can disable the signup form in the "General Configuration" section of the Administration pages: change "Allow Public Signup" to "OFF" Users can be grouped together into groups for more convenient administration. You can create new groups in the "Manage Groups" section of the Administration pages, and assign users to groups through the "Manage Users" section. Once you have assigned a user to a group, anything the group is permitted to do, the user is also permitted to do. The "Anonymous" userThe "Anonymous" user isn't really a user, although it shows up on the permission management pages. "Anonymous" represents not only all the users in the system, but also anyone who has not logged in at all. (We call these people "Anonymous users", since they haven't identified themselves) For more information about setting up anonymous access in Confluence, see Setting up Anonymous Access. Two Special Groups: confluence-administrators and confluence-usersconfluence-administrators is the super-user group. Any user in this group automatically has permission to do anything in the site, regardless of the setting of any other privileges. Users in the confluence-administrators group are also listed as being availble to help on the "Contact Administrators" page that is linked throughout the site. confluence-users is the default group. All new users are added to this group, so whatever permissions you assign to this group will be the default access for newly signed-up users. Deleting and Deactivating UsersConfluence will only allow you to delete a user entirely if the user is not responsible for any content within the site. If a user has edited a page or blog post, or left a comment, Confluence will need to keep the user around in the system to maintain its knowledge of who wrote what. You can, however, deactivate a user so they can no longer log in to Confluence. Deleting and deactivating users can be done in the "Manage Users" section of the Administration pages. PermissionsWhat a user is allowed to do in Confluence is determined by the permissions they have assigned to them. Managing the users of a Confluence installation consists of giving the right users the right permissions. A Digression: Security Policy and Confluence Traditionally, security is determined by the Principle of Least Privilege: you give each person the minimum amount of permissions that allow them to do their job. Unless someone can demonstrate a specific need to see or change some data, they are not given the authority to do so. For Confluence this is entirely the wrong approach. Confluence is a tool for communication and collaboration. You get the most value out of Confluence the more people you have participating in its discussions and editing its pages. Because Confluence keeps histories of all changes, it is very easy to see who has changed what, and reverse any edits that should not have been made. In short, you should design the security of a Confluence installation in accordance with the principle of Most Privilege. Give people the ability to do anything that you can't think of a good reason to restrict them from doing. There are three levels of permissions in Confluence: Global Permissions, Space Permissions and Page Restrictions. Global PermissionsGlobal Permissions are granted in the "Global Permissions" section of the Administration screens. In order to assign these permissions, a user must already have the global "Administrate Confluence" permission. Confluence will do its best to make sure you never end up in a situation where the site no longer has any more administrators.
Space PermissionsEvery space has its own, independant set of permissions. Space Permissions are granted in the "Permissions" section of each Space Information page. In order to assign these permissions, a user must have the "Administrate Space" permission for that space. If you misconfigure a space so that nobody has access to administer it any more, you will need to have someone in the confluence-administrators group fix the permissions for you.
Page RestrictionsThe Page Restrictions, introduced in Confluence 1.4, allow to restrict view and edit actions on pages. For complete details, see Page Restrictions.
|
![]() |
Document generated by Confluence on Dec 03, 2008 15:18 |