Search the Confluence 4.1.x Documentation:

Index
Downloads (PDF, HTML & XML formats)
Other versions

This documentation relates to Confluence 4.1.x
If you are using an earlier version, please view the previous versions of the Confluence documentation and select the relevant version.
Skip to end of metadata
Comment: Corrected links that should have been relative instead of absolute.
Go to start of metadata

Permissions determine the actions which a user is allowed to perform within Confluence. Global permissions are one of the levels of permission provided by Confluence.

In order to assign these permissions, you must already have the global 'Confluence Administrator' or 'System Administrator' permission (described below). You can then assign global permissions to groups, individual users and anonymous users. Further permissions are granted from the space administration screens.

 

On this page:

(warning) The information on this page does not apply to Confluence OnDemand.

Overview of the Global Permissions

Global permissions control access across the whole Confluence site. Here is a list:

Global Permission

Description

Can Use

This is the most basic permission that allows users to access the site.
(info) Users with this permission count towards the number of users allowed by your license. See the information on removing/deactivating users.

Attach Files to User Profile

This allows the user to upload files to be stored in their user profile.
(info) This feature was made obsolete by the introduction of personal spaces in Confluence 2.2. Hence, this permission is no longer relevant. Attachments can be accessed from a user profile view (for example, an image within the 'About Me' field of a profile view) by attaching these files to a page within that user's personal space and referencing them using appropriate wiki markup code.

Update User Status

This allows the user to update their user status message, which can be seen on the user's profile, pages in their personal space and on various activity streams accessible to other Confluence users.

Personal Space

This permission allows the user to create a personal space.

Create Space(s)

This permission allows users to create new spaces within your Confluence site. When a space is created, the creator automatically has the 'Admin' permission for that space and can perform space-wide administrative functions.

Confluence Administrator

This permission allows users to access the 'Administration Console' that controls site-wide administrative functions. Users with this permission can perform most, but not all, of the Confluence administrative functions. See the comparison of 'System Administrator' and 'Confluence Administrator' below.

System Administrator

This permission allows users to access the 'Administration Console' that controls site-wide administrative functions. Users with this permission can perform all the Confluence administrative functions, including the ones which the 'Confluence Administrator' permission does not allow. See the comparison of 'System Administrator' and 'Confluence Administrator' below. Refer also to the note about the 'confluence-administrators' group below.

The first system administrator is defined during installation

During the initial configuration of Confluence, the Setup Wizard asks for the username of the System Administrator. This user will have the 'System Administrator' permission and will be a member of the 'confluence-administrators' group.

Comparing the System Administrator with the Confluence Administrator Permission

New with Confluence 2.7 and later comes the ability to have two levels of administrator in Confluence:

  • System Administrator – Users with this permission can perform all the Confluence administrative functions, including the ones which the 'Confluence Administrator' permission does not allow.
  • Confluence Administrator – Users with this permission can perform most, but not all, of the Confluence administrative functions.

(tick) Tip: The two-tier administration is useful when you want to delegate some administrator privileges to project managers or team leaders. You can give 'Confluence Administrator' permission to users who should be able to perform most administrative functions, but should not be able to perform functions that can compromise the security of the Confluence system.

The following functions are excluded from the 'Confluence Administrator' permission:

Administration Screen

Excluded Function

General Configuration

The following functionality is disallowed:

  • Server Base URL
  • Remote API plugin
  • Public Signup
  • Connection Timeouts

Security Configuration

The following functionality is disallowed:

  • External user management
  • Append wildcards to user and group searches
  • Public Signup
  • Anti XSS Mode
  • Enable Custom Stylesheets for Spaces
  • Show system information on the 500 page
  • Maximum RSS Items
  • XSRF Protection

Plugins

The following functionality is disallowed:

  • Upgrade
  • Install
  • Confluence Upgrade Check

Daily Backup Admin

This function is disallowed entirely.

Mail Servers

This function is disallowed entirely.

User Macros

This function is disallowed entirely.

Attachment Storage

This function is disallowed entirely.

Layouts

This function is disallowed entirely.

Custom HTML

This function is disallowed entirely.

Backup & Restore

This function is disallowed entirely.

Logging and Profiling

This function is disallowed entirely.

Cluster Configuration

This function is disallowed entirely.

Scheduled Jobs

This function is disallowed entirely.

Application Links

This function is disallowed entirely.

Comparing the Administrator Permissions with the confluence-administrators Group

The 'confluence-administrators' group defines a set of 'super-users' who can access the Administration Console and perform site-wide administration. Members of this group can also see the content of all pages and spaces in the Confluence instance, regardless of space permissions. They cannot immediately see the pages for which they are excluded by page restrictions without knowing the direct URL to the page (restrictions can be removed by members of the confluence-administrators group in the Space Admin screen if need be). For example, they will not see restricted pages displayed by the children macro. But they are able to access restricted pages directly using the page URL. The settings on the 'Global Permissions' screen do not affect the powers allowed to members of this group.

Granting the 'System Administrator' or 'Confluence Administrator' permission to a user will not automatically grant the user access to all spaces in the site. These permissions will only give access to the Administration Console.

Be aware, however, that users with 'System Administrator' can add themselves to the 'confluence-administrators' group and become a super-user.

Confluence Administrator permission and confluence-administrators group are not related

Going by the names, you would think the 'confluence-administrators' group and the 'Confluence Administrator' permission are related – but they are not. To resolve confusion, we want to make explicit that granting a user or group 'Confluence Administrator' permission is not the same as granting them membership to the 'confluence-administrators' group. Granting the 'Confluence Administrator' permission enables access to only a subset of the administrative functions. Granting membership to the 'confluence-administrators' group, on the other hand, gives complete access.

Read more about global groups.

Updating Global Permissions

To view the global permissions for a group or user:

  1. Go to the Confluence 'Administration Console':

    • Choose Browse > Confluence Admin. The 'Administrator Access' login screen will be displayed.
    • Enter your password and click Confirm. You will be temporarily logged into a secure session to access the 'Administration Console'.
  2. Select Global Permissions in the Security section of the left-hand panel. The View Global Permissions screen appears.

Add or edit group and user permissions as follows:

To add permissions for a group:

  1. First add the group to Confluence, if you have not already done so.
  2. Click Edit Permissions. The 'Edit Global Permissions' screen appears, as shown below.
  3. Enter the group name in the Grant browse permission to box in the 'Groups' section. You can search for the group name.
  4. Click Add.
  5. The group will appear in the list and you can now edit its permissions.

To add permissions for a specific user:
(Consider adding the user to a group and then assigning the permissions to the group, as described above, instead of assigning permissions to the specific user.)

  1. First add the user to Confluence, if you have not already done so.
  2. Click Edit Permissions. The 'Edit Global Permissions' screen appears, as shown below.
  3. Enter the username in the Grant browse permission to box in the 'Individual Users' section. You can search for the username.
  4. Click Add.
  5. The username will appear in the list and you can now edit its permissions.

To add or edit the permissions for a user or group:

  1. Select, or clear, the check box under the relevant permission in the row for the relevant user/group. A selected check box indicates that the permission is granted.
  2. To allow anonymous access to your Confluence site, select the 'Use Confluence' and 'View User Profile' options in the 'Anonymous Access' section.
    (info) For more information about these permissions, refer to Setting up Anonymous Access.
  3. Click Save All to save your changes.

Screenshot: Editing global permissions

About some error messages you may see

In Confluence 2.7.2 and later, Confluence will let you know if there is a problem with some permissions. In rare situations, you may see the following error messages below a permission:

  • 'User/Group not found' — This message may appear if your LDAP repository is unavailable, or if the user/group has been deleted after the permission was created.
  • 'Case incorrect. Correct case is: xxxxxx' — This message may appear if the upper/lower case in the permission does not match the case of the username or group name. If you see a number of occurrences of this message, you should consider running the routine supplied to fix the problem.

Related Topics

Page: Removing a Group
Page: Adding a New User
Page: Editing User Details
Page: Adding or Removing Users in Groups
Page: Global Permissions Overview
Page: Viewing members of a group
Page: Removing or Deactivating a User
Page: Adding a Group
Page: Permissions Overview
Page: Changing Usernames
Page: Global Groups Overview
Page: Disabling the Built-In User Management
Page: Setting up Anonymous Access
Page: Searching For and Managing Users
Page: Enabling or Disabling Public Signup

50 Comments

Hide/Show Comments

  1. Apr 11, 2008

    Anonymous

    Hi,

      Which table can be stored this "PERMISSIONS" informations?

    Thanks! 

    1. Apr 15, 2008

      Tony Cheah Tong Nyee

      Hi there,

      Did you mean where are the permissions information being stored in the database? If that is the case, give a try to look into the SPACEPERMISSIONS table. It provides information of both the Global and Spaces level permission.
      For example:

      -+---------+------------------------+---------------------------+
 | SPACEID | PERMTYPE               | PERMGROUPNAME             |
-+---------+------------------------+---------------------------+
 |    NULL | USECONFLUENCE          | confluence-users          |
 |    NULL | USECONFLUENCE          | confluence-administrators |

      The above data indicates that both confluence-users and confluence-administrators groups possessed the "Can Use" permission.

      Cheers,
      Tony

  2. May 09, 2008

    Anonymous

    Hello-

    How do I restrict access to a space while only allowing specific people to view/admin it?

    Thanks,

    Alex

    1. May 13, 2008

      Ming Giet Chong

      Hi Alex,

      You can refer to the following doc regarding the space permissions:

      Hope this helps.

      Regards,
      MG

  3. Aug 12, 2008

    Paul Csapo

    Hi, is there a way to prevent the administrator of a Space from performing certain functions?

    For example, if we want to allow them to set permissions and restrictions within their space, but do not want them to edit the Space Details is that possible?

    regards,
    Paul

    1. Aug 18, 2008

      Tony Cheah Tong Nyee

      Hi Paul,

      Unfortunately, this feature has not been implemented. A similar feature request is raised here:

      Feel free to cast your vote to increase its popularity and add yourself as a watcher for future updates.

      Regards,
      Tony

      1. Aug 22, 2008

        Paul Csapo

        Thanks Tony.

  4. Aug 14, 2008

    Anonymous

    Is it possible for System Administrators or confluence-administrators to get a report of any changes made by Confluence Administrators for auditing purposes?

    1. Aug 14, 2008

      Chris Latimer

      Under the Space Administration there is an activity section that you can use to track activity at a daily/weekly/monthly level.  There is also a comparable function called "Global Activity" under the global administration.  Alternatively, you could probably capture the XML from RSS feeds if you wanted something you could save off somewhere.

  5. Sep 17, 2008

    Thomas de Bodt

    Hello, I wonder how to remove global permission on individual user, I mean to remove the user of the Individual Users section of the Edit Global Permissions page... anyone can guide me?

    1. Sep 19, 2008

      Azwandi Mohd Aris [Atlassian]

      Hi Thomas,

      If you would like to remove a user/group from the permission set, please uncheck all of its permissions and save. The user/group should be removed from the permission set. Hope that helps.

      Cheers,
      Azwandi

  6. Oct 30, 2008

    Guy Fraser

    There are some functions that I would expect to be System Administrator only but the documentation above doesn't clarify one way or the other:

    • global permissions (eg. could a Confluence admin give themselves System Admin priv?)
    • trusted applications
    • group management (eg. could a Confluence admin add themselves to confluence-administrators group?)
    • WebDAV config (Confluence admins can't access the attachment storage and backup/restore features, so I assume they can't access this either?)

    1. Dec 01, 2008

      Azwandi Mohd Aris [Atlassian]

      Hi Guy,

      To answer your questions:

      1. Confluence Administrators are able to access the global permissions page and change the permissions set, excluding permissions set for "confluence-administrators" group. The Confluence Administrators cannot assign themselves the "System Administrator" permission
      2. Trusted applications - definitely not accessible by Confluence Administrators since it can compromise security of the system
      3. Group management - the same restriction applies for answer #1 - Confluence Administrators can modify any groups, except for groups that has "System Administrator" permission.
      4. WebDAV config - Accessible by Confluence Administrators

      Hope that helps,
      Azwandi

  7. Jan 22, 2009

    Anonymous

    Is any way to use policy to demand from all users change password every period of time like every month they have to change password?
    Instead doing this manually by administrator for each user.

    1. Jan 22, 2009

      lukasz.ryszka

      I've got answer on my question

      plugin User Management Plugin

      http://confluence.atlassian.com/display/CONFEXT/User+Security+Management+Plugin

      Thanks

  8. Feb 26, 2009

    Anonymous

    Hello!

    Right now, users cannot delete the news items that they create. Is there a way to grant permissions to users to be able to remove news items that they create?

    Thanks!

    1. Feb 27, 2009

      Komathi Krishnan [Atlassian]

      Hi,

      If you would like the user to remove the news item, this can be configured in space admin. Refer the link given for more information on how to do this.

      Cheers
      Komathi

  9. Jun 05, 2009

    Ken Stafford

    Currently when new spaces are created by the Site Admin the confluence-users group is added into Space Permissions automatically. In this case the confluence-users group has default settings for the various permission attributes. My question is whether there is a way to modify the default permissions of the group confluence-users. Specifically, users are allowed to add attachments, but are not allowed to delete per the default settings. We'd like to change this default to also allow attachment deletion without having to go into space permissions and manually reset this for each new space. (our version is 2.8.2)

    1. Jul 01, 2009

      Zed Yap [Atlassian]

      Hi Ken,

      As far as I know, the feature requested in not available yet. However, I found this feature request which might be closest to your requirement:

      Please add your comments to the discussion, vote on it and add yourself as a watcher for future updates. Also, please bear in mind the following document on how we schedule features for inclusion in our products: Implementation of New Features and Improvements.

      Hope that helps,
      Best rgds,
      Zed

  10. Jun 17, 2009

    Anonymous

    Is there a way how to change the Space Admin?

    The person who created a particular space works on different projects now.

    The project leader would like to have distinct boundaries.

    Thanks!

    1. Jun 22, 2009

      Sashidaran Jayaraman [Atlassian]

      Hi,

      Yes it is possible to change the Space Admin. Just follow the steps documented here in order to assign space-admin permission to another user. You can only remove a particular space admin after assigning the space permission to another user. Otherwise you will get the error message "You are not allowed to remove all the Administration Permissions for this space." Hope that helps.

      Cheers
      JSashi

  11. Jun 29, 2009

    Anonymous

    How can I check who was assigned as administrator to my page I thought it was me, but I don't have the space permissions option.

    1. Jun 03, 2011

      Sashidaran Jayaraman [Atlassian]

      Hi,

      As far as I know, there isn't such option in Confluence by default. There is an improvement request for this feature though. Please add yourself as a watcher, vote for this feature and add your own comments to this feature request. For further details, you can read on Implementation of New Feature and Improvement.

      I would also advise you to direct your questions to Atlassian Answers as there might be other users/developers who have already implemented it and should be able to share their ideas with you. Thanks.

      Cheers
      JSashi

  12. Jul 02, 2009

    Anonymous

    Hi,

       I want to do the following.   Have a group of users that can change all aspects of the sytem except for managing groups and permissions. Is it possible to do this?   By default Confluence seems to restrict Confluence Administrators from doing things like defining custom HTML etc.    Thanks.

    1. Jul 13, 2009

      Zed Yap [Atlassian]

      Hi,

      I am afraid that the feature requested is not available yet. However, you might want to raise an improvement request in JIRA:

      Hope that helps,
      Best rgds
      Zed

  13. Aug 19, 2009

    Anonymous

    There is a perimssion to control who can update status messages, but is it possible to restrict who can view status messages? We allow public users access to certain restrict spaces on our confluence instance, but don't want them to be able to see all of our company's internal comms through status messages...

    1. Aug 19, 2009

      Imran Aziz

      We have the same need, that is to disable view of status messages to people who are either anonymous or only members of confluence-users group, so that people who are part of a specific group can only see the status messages for people in their group or network.

      1. Aug 19, 2009

        Sashidaran Jayaraman [Atlassian]

        Hi guys,

        As far as I know, this feature is not currently available in Confluence. However, I have found a similar feature request. Please add yourself as a watcher, vote for this feature and add your own comments to this feature request. For further details on how we include new features and improvements, you might want to read this page

        Cheers
        JSashi

  14. Aug 26, 2009

    Anonymous

    "Members of this group can also see all pages and spaces in the Confluence instance except pages for which they are excluded by page restrictions (restrictions can be removed by members of the confluence-administrators group in the Space Admin screen if need be)."

    How can you grant global VIEW and EDIT permissions to System Administrator or Confluence Administrator EVEN if there are user restrictions on the content? We need this capability in order to perform our content governance... Thanks!

    1. Aug 31, 2009

      Zed Yap [Atlassian]

      Hi,

      How can you grant global VIEW and EDIT permissions to System Administrator or Confluence Administrator EVEN if there are user restrictions on the content? We need this capability in order to perform our content governance..

      As far as I know, the feature requested is not available yet. However, I found a feature request which might be nearest to your requirement: http://jira.atlassian.com/browse/CONF-4616

      If you are less happy on the feature request you might want to launch a feature request in JIRA:

      Hope that helps.
      Best rgds,
      Zed

  15. Sep 02, 2009

    Anonymous

    Hi,

    Our BI admin had accidentally deleted the user in Cognos portal Security - System Administrator group. Now, all users including BI admin not able to view the IBM Cognos Administration in the portal. Anyway to reset the permission or gain back a user to have System Administrator rights?

    Please advice.

    Thanks.

    Best regards
    Bryan

    1. Mar 05, 2010

      Sashidaran Jayaraman [Atlassian]

      Hi Bryan,

      As far as I know, there's no way to delete either the System Administrator or the group confluence-administrators if there's only one user who has the permission in Confluence. Therefore, I believe there's still at least one System Administrator who can help you out in this matter.

      Hope this helps. If you require more help, feel free to raise a support ticket to https://support.atlassian.com

      Cheers
      JSashi

  16. Sep 09, 2009

    Maria Pham

    Is there a way you can modify permissions so users who can edit cannot add pages?

    1. Sep 10, 2009

      Zed Yap [Atlassian]

      Hi Maria,

      Is there a way you can modify permissions so users who can edit cannot add pages?

      I am afraid that the feature requested is not available yet. However, I found an improvement request on this in JIRA

      Please add your comments to the discussion, vote on it and add yourself as a watcher for future updates. Also, please bear in mind the following document on how we schedule features for inclusion in our products: Implementation of New Features and Improvements.

      I have a mere suggestion, you might want to hide the option for the Add Page option using CSS style syntax.
      I have created an example shown below, hopefully, you will have some idea on this:

      1. Go to page layout via Space admin >> Layout >> Page layout >>Edit
      2. Drop the following code:
      3. Save the changes

      Hope that helps,
      Best rgds
      Zed

  17. May 06, 2010

    Anonymous

    The german translation of the "Can Use" permission is completely confusing (Confluence 3.2.1). "darf Folgendes verwenden" means "Can use following". I thought "following" referred to the permissions on the right when it actually means if you don't have this permission you won't be able to log into Confluence. It is on the other hand translated correctly on the right side where the help is displayed as "Confluence verwenden" which just means "Use Confluence" and makes much more sense than that confusing following stuff.

    Regards

    ele

    1. May 26, 2010

      Joachim Ooi [Atlassian]

      Hi,

      I have just raised an improvement request at:

      Feel free to cast a vote, comment on it, and watch it for future updates.

      Cheers~

  18. Jun 11, 2010

    George Salhani

    We are trying to create a Wiki Gardener role, who will have access to edit and view all content in the wiki, regardless of the space permissions set by the Space Admins. We don't want this role however to have access to the admin console. Is there any way to achieve this in Confluence?

  19. Jul 23, 2010

    Anonymous

    Hi

    Can you advice me how to give a attachment uploading and deleting facility to user group..

    kesharika

    1. Jul 26, 2010

      Husein Alatas [Atlassian]

      Hi Kesharika,

      Attachments permission is available at Space Permissions Overview. Please refer to this page for more details.

      Hope this helps.

      Cheers,
      Husein

  20. Aug 23, 2010

    Konnie McCauley

    I have added all enterprise domain users to a wiki security group in AD then added that group to the global permissions "can use".  I thought this would work for all users who had not yet been added to the "confluence user" so that all domain users could access Confluence.  However, this did not work, they seem to still need to be added to "confluence-users" to be able to access Confluence. 

    We have NTLM which prohibits the "auto join" feature when a new users tries to access Confluence.  Is there a config file in which I can alter to add our AD group "wkAll" to to avoid continually having to add new domain users to the "confluence-user" group one by one?

  21. Sep 14, 2010

    Anonymous

    Hi

    I have a couple "Group not found" errors on groups in my Global Permissions but I am unable to remove them from the list.  What do I have to do to be able to remove them?

    Yes they have been removed from the LDAP directory.  The only solution I can come up with is to re-add them to LDAP remove them from confluence and then re-remove them from LDAP.  Seems a little stupid to me.

    Cheers

    Matthew

    1. Aug 22, 2011

      Richard Parr

      I have the same issue with users whose accounts have been removed from our LDAP - is there a way for me to force these permissions to be deleted?  At the moment, if a new account happens to be created with the same name as an old one that has disappeared they'll "inherit" the old permissions, and that's not what we'd want to happen.

      --Rich

  22. Jul 07, 2011

    Ulli Hochholdinger

    Hi,

    Am I right that I can't add users from my-LDAP-Directory to the group confluence-administrators. So no account in my directory can gain "real" super user rights? Giving these individuals "SuperAdmin rights" are less rights than the confluence-administrators have...

    So how is the best workaround for my team of administrators to gain these rights without sharing one admin-account or creating extra local accounts?

    Cheers,

        Ulli

    1. Jul 07, 2011

      Alexander Seith

      Hi Ulli,

      no, it IS possible to add users coming from an LDAP directory to a local group in Confluence. When configuring the LDAP directory, be sure to select 'Read Only, with Local Groups'. Refer to http://confluence.atlassian.com/display/DOC/Connecting+to+an+LDAP+Directory for more details.

      Cheers

      Alex

      1. Jul 08, 2011

        Ulli Hochholdinger

        Hi Alex,

        Wow, ok, that was easy. Many thanks for the help.

        Cheers,

            Ulli

  23. Oct 28, 2011

    Bill Bailey

    Is there a way to set permissions on plug-ins? In other words, restrict the use of certain plug-ins to space admins and above?

    Thanks!

    Bill

  24. Dec 06, 2011

    Anonymous

    Is there a macro or other method for displaying the "About Me" text on a personal page, or for a given user on any page for that matter?

    So for example, on my personal page I have a profile box on the right that shows website, position, department, etc. but it does not show the "about me" text from my profile. I would like to show that text either w/in the profile box, or simply reference it within the main text of the page using some kind of macro, like {profile:showAboutMe=true}.

  25. Dec 22, 2011

    Anonymous

    Hello,

    Our organization are currently using Confluence OnDemand from 2 months ago, and we like to change our url name,  but neither of us have system administrator permissions. How can us be granted with the permission?

    Thanks

    1. Dec 23, 2011

      Lingbo Lu [Atlassian Technical Writer]

      Hi there,

      According to the information on page http://confluence.atlassian.com/pages/viewpage.action?pageId=253231647, domain names (i.e. URL names) can't be changed for OnDemand once specified. And the system administrator permission does not apply to OnDemand sites either. If you need further assistance, may I suggest that you open a support ticket on https://studio.atlassian.com/browse/JST?

      Regards,

      Lingbo

  26. Jan 20, 2012

    Scott Pratt

    Hi,

    Is there a way to restore the "confluence-users" group once it as been deleted?