How to remove corrupted space permissions appearing in the Global Permissions page
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
When viewing the list of users/groups set in the 'Global Permissions' page, we can see that there are entries that can't be removed despite having no global permissions assigned to them at all.
When we edit the permissions to remove any broken ones, we will see that all boxes have already been unchecked. Upon saving this setting, there will be no error messages but the entry remains on the page.
View mode
Edit mode
Cause
These entries are corrupted space permissions that have somehow had their space IDs removed in the database. As the global permissions and space permissions share the same table (spacepermissions), the only way to differentiate these two is by a populated value in the space ID column or not.
Note for plugin developers
It's been reported that 3rd party plugins that utilise these API methods (found in the Java docs com.atlassian.confluence.spaces) to remove space permissions can cause this issue to occur in the Confluence database.
com.atlassian.confluence.spaces.Space.removeAllPermissions()com.atlassian.confluence.spaces.Space.removePermission(SpacePermission permission)
Diagnosis
Run this query to get a list of all space permissions that are affected by this issue.
select * from spacepermissions
where spaceid IS NULL
and permtype NOT IN ('ADMINISTRATECONFLUENCE', 'USECONFLUENCE', 'PERSONALSPACE', 'SYSTEMADMINISTRATOR', 'CREATESPACE');Resolution
Always back up your data before performing any modifications to the database. If possible, test any alter, insert, update, or delete SQL commands on a staging server first.
Always back up your data before performing any modifications to the database. If possible, test any alter, insert, update, or delete SQL commands on a staging server first.
Once we have identified the affected entries based on the query above, we can then remove them using this query.
delete from spacepermissions
where spaceid IS NULL
and permtype NOT IN ('ADMINISTRATECONFLUENCE', 'USECONFLUENCE', 'PERSONALSPACE', 'SYSTEMADMINISTRATOR', 'CREATESPACE');
Note that there is another issue involving duplicate entries for permissions, such as "Can use," which prevent updates to Global Permissions. For more details, see this KB Article.
Note for plugin developers
If your plugin utilises the methods mentioned in the 'Cause' section of this KB to remove space permissions, please change them and use the deprecated methods mentioned in the SpacePermissionManager Interface instead.
com.atlassian.confluence.security.SpacePermissionManager.removeAllPermissions(Space space)com.atlassian.confluence.security.SpacePermissionManager.removePermission(SpacePermission permission)
Although they're marked as deprecated, it's safe to use them until replacement methods are available in the future.