For Confluence administrators, grouping users in Confluence is a great way to cut down the work required when managing permissions and restrictions. Groups are also very useful, however, to anyone who's a space admin, or can apply page restrictions.
If you're a space admin, you can assign a set of space permissions to a group rather than to each individual user. And as a page creator with 'Add/Delete Restrictions' permission, you can also add and remove page restrictions for groups.
Default Confluence groups
There are some default groups in every Confluence instance but, beyond that, Confluence administrators are free to set up and edit groups in any way they see fit.
The two special groups in Confluence are:
- confluence-administrators – Can perform most of the Confluence administrative functions, like assign permissions to other users, but they can't perform any functions that could compromise the security of the Confluence system. They can also access the Confluence Admin console.
- confluence-users - this is the default group into which all new users are assigned. Permissions defined for this group will be assigned to all new Confluence users.
All users who don't log in when they access Confluence are know as 'anonymous' users. By default, anonymous users don't have access to view or change any content in your Confluence instance, but Confluence admins can assign permissions to this group if it's required.
Overlapping group and user permissions
When a user is assigned more than one permission, the more powerful permission will prevail.
- A user may be assigned a permission specifically to their username. They may also be assigned a permission by belonging to a group, or even several groups.
- The user will then be able to perform all functions assigned to them.
- So if a user is allowed to do something over and above what the group can do, the user will be able to do it. And if the group is allowed to do something over and above the specific permissions granted to the user, the user will still be able to do it.
- If anonymous users are allowed to do something over and above what the user or group can do, the user will be able to do it, (even while logged in).
Unlicensed users from linked applications
If you're using Confluence as a knowledge base for JIRA Service Desk, your JIRA Service Desk administrator can choose to allow all active users and customers (that is logged in users who do not have a Confluence license) to view specific spaces.
These users have very limited access, and cannot be granted permissions in the same was as an individual or group. However, it's important to note that this permission overrides all existing space permissions, so any logged in Confluence user will also be able to see the space (regardless of their group membership). This is due to the way Confluence inherits permissions.