Faster permissions service

Confluence's default permission checking method is very efficient when checking permissions for a single page, and guarantees strong permission consistency. However, this method can be quite slow and memory intensive when Confluence needs to check many thousands of pages. For example, to render the Task report macro, we need to find all the pages with a task assigned to the user, then check they have permission to see the spaces and pages the task appears on. The faster permissions service allows Confluence to check permissions on a large number of pages more quickly. 

On this page:

How it works

The faster permissions service replicates permissions information in a database structure that can be queried more efficiently. It uses database triggers to register changes to pages, spaces and their permissions, and records these in a change log. These change logs are processed regularly, and keep the fast permissions database tables up to date. 

When faster permissions is enabled:

  • the faster permissions method is used when listing pages in the task report, children display, and page index macros, search requests when the cache is cold, and on the dashboard the first time someone logs in.
  • the default permissions checking method is always used when viewing a page, and in all other situations. 

When space permissions or page restrictions are changed, it can take a few seconds for the faster permissions service to know about the change. Here's how we handle this delay: 

  • When a page is created and page restrictions are applied before being published for the first time, the page won't appear to anyone in macros or the dashboard until the fast permissions service has processed the change log. 
  • When a previously unrestricted page is restricted, it will continue to appear in macros and the dashboard for a few seconds, until the fast permissions service has processed the change log, then it will only appear to the relevant users.   
  • When a previously unrestricted page is restricted and the page title changed, it will continue to appear with the original title in macros and the dashboard for a few seconds, until the fast permissions service has processed the change log, then it will only appear (with the new title) to the relevant users.

The time it takes for a change to be reflected in faster permissions tables is shown in the faster permissions screen as Space service lag and Content service lag. If the lag exceeds 60 seconds, Confluence will automatically fall back to the slower default permission checking method until it decreases again. This is to ensure Confluence doesn't rely on out of date permissions information. 

Screenshot of the faster permissions administration screen.

Enable the faster permissions service

The faster permissions service is enabled by default. If you have a small site, the benefits of faster permissions service won't be as noticeable.

To enable the faster permissions service:

  1. Go to Administration  > General Configuration > Faster Permissions.
  2. Select Enable.

The status of each service will change to initializing as it starts up and begins to populate the new database tables. This may take some time depending on the size of your site, and is done in small batches to avoid any performance impact. Confluence is still completely operational during this time, and will start using each service as soon as the status changes to enabled. 

Disable the faster permissions service

To disable the faster permissions service:

  1. Go to Administration  > General Configuration > Faster Permissions.
  2. Select Disable.
  3. Wait for the services to shut down. 

Confluence will use the default permission checking method from this point on. The additional database tables that were added when the service was first initialised will not be removed. If you later re-enable the service, the service will re-populate the tables. 

Troubleshooting

Database requirements for faster permissions service 

  • If you use SQL Server, your database user needs full create, read and write permissions for the database tables. Confluence must be able to create its own schema, and have the ability to create/drop triggers and functions. Refer to your SQL Server documentation for how to do this. 
  • If you use Oracle, you must use Oracle 12c Release 2 or later, as there are known problems with Release 1 (which is no longer supported by Confluence). 
Last modified on Oct 13, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.