Global Permissions Overview
Global Permissions determine the actions which a user is allowed to perform in Confluence at a site level. To assign global permissions to a user or group you need Confluence Administrator or greater permissions.
Note: The first system administrator is defined during initial setup. During the initial configuration of Confluence, the Setup Wizard asks for the username of the System Administrator. This user will have the 'System Administrator' permission and will be a member of the 'confluence-administrators' group.
On this page:
Overview of global permissions
The following global permissions can be applied to groups and individuals.
Global Permission | Description |
---|---|
Can Use | This is the most basic permission that allows users to access the site. Users with this permission count towards the number of users allowed by your license. |
Attach Files to User Profile | This allows the user to upload files to be stored in their user profile. This feature was made obsolete by the introduction of personal spaces in Confluence 2.2. Hence, this permission is no longer relevant. Attachments can be accessed from a user profile view (for example, an image within the 'About Me' field of a profile view) by attaching these files to a page within that user's personal space and referencing them using appropriate wiki markup code. |
Personal Space | This permission allows the user to create a personal space. |
Create Space(s) | This permission allows users to create new spaces within your Confluence site. When a space is created, the creator automatically has the 'Admin' permission for that space and can perform space-wide administrative functions. |
Confluence Administrator | This permission allows users to access the 'Administration Console' that controls site-wide administrative functions. Users with this permission can perform most, but not all, of the Confluence administrative functions. See the comparison of 'System Administrator' and 'Confluence Administrator' below. |
System Administrator | This permission allows users to access the 'Administration Console' that controls site-wide administrative functions. Users with this permission can perform all the Confluence administrative functions, including the ones which the 'Confluence Administrator' permission does not allow. See the comparison of 'System Administrator' and 'Confluence Administrator' below. Refer also to the note about the 'confluence-administrators' group below. |
Comparing the System Administrator permission with the Confluence Administrator permission
Confluence recognises two levels of administrator:
- System Administrator – Users with this permission can perform all the Confluence administrative functions, including the ones which the 'Confluence Administrator' permission does not allow.
- Confluence Administrator – Users with this permission can perform most, but not all, of the Confluence administrative functions.
The two-tier administration is useful when you want to delegate some administrator privileges to project managers or team leaders. You can give 'Confluence Administrator' permission to users who should be able to perform most administrative functions, but should not be able to perform functions that can compromise the security of the Confluence system.
The following functions are granted to the 'System Administrator' permission but excluded from the 'Confluence Administrator' permission:
Administration Screen | Excluded from Confluence Administrator permission |
---|---|
General Configuration | The following functionality is disallowed:
|
Further Configuration | The following functionality is disallowed:
|
Security Configuration | The following functionality is disallowed:
|
Plugins | The following functionality is disallowed:
|
Daily Backup Admin | This function is disallowed entirely. |
Mail Servers | This function is disallowed entirely. |
User Macros | This function is disallowed entirely. |
Attachment Storage | This function is disallowed entirely. |
Layouts | This function is disallowed entirely. |
Custom HTML | This function is disallowed entirely. |
Backup & Restore | This function is disallowed entirely. |
Logging and Profiling | This function is disallowed entirely. |
Cluster Configuration | This function is disallowed entirely. |
Scheduled Jobs | This function is disallowed entirely. |
Application Links | People with the 'Confluence Administrator' permission can add, modify and remove application links and project links. For example, they can link Confluence to JIRA. However, Confluence administrators can configure only OAuth authentication for application links. |
Office Connector configuration | This function is disallowed entirely. |
Comparing the confluence-administrators group with the administrator permissions
The default confluence-administrators
group is a special, 'super-user' group that gets permissions above and beyond the Confluence administrator and system administrator global permissions. Members of this group can perform site-wide administration functions, and also see the content of all pages and spaces in the Confluence site, regardless of space permissions or page restrictions.
Restricted pages are not visible to members of the confluence-administrators
group in the dashboard, search and most macros, but will be visible in the following places:
- In the sidebar (with Page Tree navigation, but not visible with Child Pages navigation)
- Pages index page
- Reorder pages screen
- Page tree macro
- Quicknav
Members of this group can also see restricted pages if they have the page URL.
Granting a user the system administrator and Confluence administrator global permissions does not allow that user to automatically see all spaces in your site, or see restricted pages. These permissions only give access to administration tools. Be aware, however, that users with system administrator global permission could add themselves to the confluence-administrators
group.
Note: changing the global permissions granted to the confluence-administrators
group will not affect group member's ability to see all content. If you don't want your admins to be able to see all spaces and restricted pages, you should create a new group, and grant that group the Confluence administrator and system administrator global permissions.
Updating global permissions
To view the global permissions for a group or user:
Choose the cog icon , then choose General Configuration under Confluence Administration
- Choose Global Permissions in the left-hand panel. The 'View Global Permissions' screen appears.
Add or edit group and user permissions as follows:
To add permissions for a group:
- First add the group to Confluence, if you have not already done so.
- Choose Edit Permissions. The 'Edit Global Permissions' screen appears.
- Enter the group name in the Grant browse permission to box in the 'Groups' section. You can search for the group name.
- Choose Add.
- The group will appear in the list and you can now edit its permissions.
To add permissions for a specific user:
(Consider adding the user to a group and then assigning the permissions to the group, as described above, instead of assigning permissions to the specific user.)
- First add the user to Confluence, if you have not already done so.
- Choose Edit Permissions. The 'Edit Global Permissions' screen appears.
- Enter the username in the Grant browse permission to box in the 'Individual Users' section. You can search for the username.
- Choose Add.
- The username will appear in the list and you can now edit its permissions.
To add or edit the permissions for a user or group:
- Select, or clear, the check box under the relevant permission in the row for the relevant user/group. A selected check box indicates that the permission is granted.
- To allow anonymous access to your Confluence site, select the 'Use Confluence' and 'View User Profile' options in the 'Anonymous Access' section.
- Choose Save All to save your changes.
Screenshot: Editing global permissions
Revoking access for unlicensed users from JIRA Service Desk
If you're using Confluence as a knowledge base for JIRA Service Desk, you can choose to allow all active users and customers (that is logged in users who do not have a Confluence license) to view pages in specific spaces. This permission can only be turned on via JIRA Service Desk.
To revoke access for unlicensed users:
- Go to > General Configuration > Global Permissions.
- Choose Edit Permissions
- Deselect the 'Can Use' permission under Unlicensed Access.
Unlicensed users will no longer be able to access pages in your Confluence site. This can only be re-enabled via JIRA Service Desk.
You can also choose to revoke access for individual spaces from the Space Permissions screen in each space.
Error messages you may see
Confluence will let you know if there is a problem with some permissions. In rare situations, you may see the following error messages below a permission:
- 'User/Group not found' - This message may appear if your LDAP repository is unavailable, or if the user/group has been deleted after the permission was created.
- 'Case incorrect. Correct case is: xxxxxx' - This message may appear if the upper/lower case in the permission does not match the case of the username or group name. If you see a number of occurrences of this message, you should consider running the routine supplied to fix the problem.