Permissions best practices
There are several different strategies you can use for managing permissions in your site. The larger your site grows, the more important it is to make sure that your permissions strategy can scale with your organisation.
Granting permission to a space on an individual by individual basis may work well for small teams, but rapidly becomes unwieldy when your user base grows to thousands of people.
On this page, we provide our recommendations for the best ways to manage common permissions scenarios. Most of the advice boils down to:
- Keep Confluence as open as possible, it's designed to be open by default.
- Use groups over individual permissions wherever possible, to avoid headaches in the future.
Give people access
I want everyone in my organisation to be able to log into Confluence
The best way to achieve this is to make everyone a member of a group that has permission to log in to Confluence, such as the default confluence-users group.
See Adding or Removing Users in Groups for information on how to add people to groups.
When new people join your organisation, add them to this group to grant permission to use Confluence.
If you don't want to use an existing group, you can create a new one. The process is much the same, but you will need to explicitly grant this group global permission to use Confluence.
To change the global permissions for a group:
- Go to Administration > General Configuration > Global permissions.
- Choose Edit Permissions.
- Enter your new group name in the Grant browse permission to field.
- Make sure the Can use checkbox is selected.
- Save your changes.
I want everyone in my organisation to be able to view a space
The best way to do this is to grant space permissions to a group that all users are a member of, such as the default confluence-users group.
If your site is not public (anonymous users do not have the 'Can Use' global permission, everyone must log in to use Confluence), you can also use the anonymous permission as an 'everyone' shortcut. This is useful if your groups setup is complex, and there isn't a single group that everyone is a member of. If you plan to make your site public in future however, it's best to avoid this workaround.
I want to give people in my team access to our space
Think about whether your space really needs to be private. If not, you can grant permission to a group that all users are a member of, such as confluence-users.
If it does need to be private, and your team is only going to be using this one space, it might be appropriate to grant permissions as individuals. That way you don't need to ask a Confluence Administrator to add people to groups. See Assign Space Permissions.
However, if your team needs access to multiple spaces, using a group is definitely the way to go, as it will save you a lot of time in future when people join or leave your team. See Adding or Removing Users in Groups.
I want to give my team access to all our project spaces
The best way to do this is to create a group, and grant that group permissions in each project space. When people join or leave your team, you only need to change the group membership, you don't need to edit the space permissions for multiple spaces. See Adding or Removing Users in Groups for more information.
It might be more work to set up now, but it will help you in the long term.
I want all the spaces in my site to have the same permissions
First, you should change the default space permissions, so that when a new space is created, it automatically gets your desired permissions.
To change the default space permissions:
- Go to Administration > General Configuration > Space permissions.
- Choose Edit permissions.
- Add groups, and grant permissions in the usual way then save your changes.
Any new spaces created will get these permissions by default.
For existing spaces, it is a little more laborious. You'll need to go to the space permissions screen in each space, and set your desired permissions manually.
If you have Confluence Data Center you can slightly speed up this process by applying the permissions from one space to multiple spaces. This is done on a group by group or user by user basis. There is no way to copy an entire set of permissions from one space to another. See Inspect permissions.
I want to give external people access to my space
If you don't want to make your site public, but you need to give people outside your company, such as a customer or contractor, access to your site, you will need to create user accounts for these people. We recommend creating a group specifically for these people, so that it is easy to remove their access later when it is no longer needed.
Your company is hosting a huge event, and you want to be able to collaborate with staff at Super Events, an external events company, in Confluence, rather than relying on email.
- Create a group called
- Grant this group the Can use global permission.
- Create a user account for each Super Events person you'll be working with.
- Add these users to the
super-events-staffgroup only. Remove them from
confluence-users, and any other default group to make sure they don't see any spaces they shouldn't. They should only be a member of
- Create a space for the event, and set the permissions for your internal staff.
- Give the
super-events-staffgroup permission to add pages, comments, and attachments only.
- Send the space URL and usernames to your contacts at Super Events, and start collaborating.
By confining these users to a single group, they won't see any spaces, or other content that they don't have permission to see, such as Confluence Questions. However, they will be able to see things like the people directory.
Lock things down
I want to check what a person can access in Confluence
In Confluence Server there is no easy way to do this. You will need to find out which groups the user is a member of, and then manually check the permissions for each space.
In Confluence Data Center you can Inspect Permissions to find out what a user can view.
I need to prevent someone from accessing Confluence
The best way to do this is to disable the person's user account. They will not be able to log in. See Delete or Disable Users to find out how to do this.
I need to prevent specific people from viewing a space
If you have Confluence Data Center, Inspect permissions for the person and the space, to find out exactly how they are being granted permission. If you have Confluence Server, you will need to see what groups have permission, then manually check if the person is a member of that group.
If their permission was granted as an individual, simply go to the space permissions and change their permissions. If their permission was granted via a group, you'll need to decide whether to remove them from the group, or to change the whole group's permissions.
I want to prevent people from seeing my work in progress
First, check who can view your page. It may be that only you, or your team can see the page due to space permissions.
If you do need to lock it down further, the simplest way to do this is restrict the page, so that only you, or your team, can view it. See Page Restrictions to find out how to do this.
Once you're ready to share your work, remove the restrictions. A notification won't be sent when you remove the restrictions. Notifications are only sent at the point you publish the page (this means that if you restrict a page to yourself, and publish it, anyone who is watching the space for new pages won't ever get a notification).
I want to prevent people seeing part of a space
The simplest way to do this is to use Page Restrictions. This is particularly useful when the pages are a work in progress, and will eventually be opened up for more people to view at a later date.
In this example, a user wants to keep all the pages relating to a sensitive new project private, until the information can be shared with the whole organisation.
Here's what they would do:
- Create a page called "Secret project" and restrict it to just the people working on the project.
- Create or move any pages relating to the project to be a child of "Secret project". The view restriction will be inherited.
This approach is not foolproof. It requires people to remember to create future sensitive pages under the restricted parent page, and to avoid moving pages to a parent that is unrestricted. If the content is sensitive, and will always be restricted, consider moving it to a different space, and use space permissions to control who can see the pages.
I want share one page but keep the rest of the space private
This can be tricky, and introduces complexity that may be a problem later, because you are forcing Confluence to work in a way that is opposite to the way it is intended to be used.
Essentially you would need to organise your page hierarchy so that all pages are restricted, except the one you want to share. You would then change the space permissions to open up the space. You can then check who can view a page to make sure you've achieved the desired result.
In this example, a user wants to keep the work in their personal space private, but make their "What I'm working on" page available for their manager and team to view.
Here's what they would do:
- Create a page called "Private work" and restrict this page to themselves. Only they can see this page.
- Move all the pages in the space that should remain private to be a child of "Private work".
- Create a page called "Open work". Move the "What I'm working on" page to be a child of this page.
- Change the space permissions so that their manager and team can view the space.
Important things to note:
- This approach is not foolproof. It requires the user to remember to create future sensitive pages under the restricted parent page, and to avoid moving pages to a parent that is unrestricted.
- Any blog posts or other non-page content created in the space would be visible, because the page restrictions only apply to pages that are a child of "Private work".
Delegate administration tasks
I want to delegate space administration to a specific group of people
The best way to do this is to create a specific space administrators group. The benefit of using a group is that you can easily add and remove members, without needing to touch the space permissions for the spaces themselves.
If you need to create a sensitive space, that these people shouldn't be able to view or administer, simply edit the space permissions for that space, and remove the group's permissions.
- Create a group, and give it a recognisable name like space-administrators.
- Add the people you want to be space admins as members of this group.
- Grant this group space admin permissions in the default space permissions, so all new spaces will be created with this permission.
- Go to every existing space and manually grant this group space admin permissions. If you have Confluence Data Center you can use Inspect permissions to speed up this step.
I want to control who can create spaces
You can set which groups or individuals can create spaces in Global Permissions.
If you choose to limit who can create spaces, we recommend granting this permission to a group of champions, who can handle requests, create the spaces, and work with stakeholders to set up their space permissions in the most appropriate way for your organisation. These people don't need to be Confluence Administrators, they just need the Create Space global permission.
The big questions
What permissions should I give people?
This is going to depend on your organisation, and the type of work you are doing in Confluence. If collaboration is your goal, we recommend giving people full Add, Delete, and Restrict permissions, and granting Space Admin permissions to a handful of people, who can act as champions in the space, to perform tasks like creating templates, or customising the view.
In some industries you may need to prevent people from deleting or restricting content, for auditing or compliance reasons. If this is the case for your organisation, consider updating the default space permissions so that all new spaces are created with your ideal permissions.
The main use-case for your Confluence site also has an impact on how you will structure your permissions. Find out about using confluence for Technical Documentation, Knowledge Base articles, your Intranet, or Software Teams.
What should I do when someone leaves my team?
If most spaces in your site are open, chances are you don't need to do anything. However it's good practice to change the person's group memberships to match their new role. This might happen automatically, via your external user directory, or you may need to search for the user, and change their group memberships manually.
Once you've changed their group memberships, if you're a Confluence administrator and you have Confluence Data Center you can Inspect permissions to check what spaces the person still has access to, then edit their permissions for each space on the fly, to remove any individual permissions.
What should I do when someone leaves my organisation?
If someone leaves your organisation, usually you would disable their user account, either in Confluence, or in your external user directory.
You may want to tidy up any individual permissions they've been granted (just to reduce the number of people listed in your space permissions screens), but unfortunately there's no easy way to do this. If you're a Confluence administrator, and you have Confluence Data Center, you can Inspect permissions to check what spaces the person still has access to, then edit their permissions for each space on the fly, to remove any individual permissions.