To totally unlock this section you need to Log-in
Login
Confluence permissions are not only have multiple levels (site, space, page) but they are interfering, they have effect on each other and often result in unexpected effective permissions that are hard to spot and understand in a Confluence instance.
Quick Answer
Space permissions come first and define who is allowed to do anything at all. Page restrictions enable additional restrictions on a page basis for those who have the necessary space permissions.
So, you don't have to do it twice. Granting Space permissions is enough to give users access to all pages included in that specific Space.
The Long Answer
In other words, effective permissions sometimes derive from implicit combinations of individual permissions. Or effective permissions are permissions users effectively have but not necessarily directly assigned.
Due to the levels and complexity of (effective) permissions, page restrictions, spread through your dozens or hundreds of spaces and pages in your Confluence instance, unwanted access to pages may be given to users or groups risking information leak.
This is just one example for why understanding permissions is crucial to operate mid sized or large Confluence instances.
New users can have permissions because of default groups
confluence-users is the default group into which all new users are assigned. Permissions defined for this group will be assigned to all new Confluence users.
So be careful creating user who is not a member of your organization, for example, an external partner.
Maybe these users should not be members of confluence-users group because it grants them unwanted permissions by default that allow them to access spaces for internal uses.
Default space permissions
Confluence makes it very easy to set up default permissions for newly created spaces. It can speed up the space creating process for Space Administrators. This setting can be found in the "Confluence administration" interface, under Space Permissions, Default Space Permissions.
By default confluence-users group is granted with the following permission, and you can add or edit permissions for any groups as you like:
Most cases not only Confluence Administrators but also project leaders, department leads have Create Space permissions on their Confluence site. It decreases the load of IT support, and make your process faster.
But never forget to think over the visibility of the new space. If you are creating a very sensitive space - and have a supportive default permission settings good for most cases - after the space is created, delete everything from the Space Permissions and set up carefully with the proper ones.
If you work with extremely sensitive information we recommend you to delete everything (even confluence-users group) from the default space permission setting. Doing this guarantees preventing this kind of information leakage.
Anonymous access
Confluence is also very handy tool for creating public access knowledge bases. This is provided by the "anonymous access" feature, so anybody can read the articles without logging in to the site.
If your organization rules do not allow to access any content without login, check the global permission setting of the Confluence and deny the anonymous "Can Use" permission like this:
By unchecking "Can Use", anonymous can not access any space, any content, even if Confluence Administrators or your Space Admins accidentally granted any kind of space level permission in the Space Permission interface to the anonymous.
Always double-check a group permissions before adding a new user
Groups - as everywhere - can really speed up and make clear your permission settings.
On the other hand never forget to double-check a group permissions before adding a new user/employee into it avoid unwanted access to important information.
Group permission checking is not so easy in Confluence by default, because you have to go through all of the spaces and check the used permission settings one-by-one.
Lessons learned
Confluence is designed for information sharing and collaboration:
- Do not forget that new users can have unwanted permissions coming from their default groups.
- Be careful setting up the proper permissions for sensitive pages and spaces, most cases the default settings can be too permissive.
- If your organization rules do not allow to access any content without login deny the Anonymous "Can Use" permission.
- Never forget to double-check group's permissions before adding a new user/employee to avoid unwanted access.