Page Restrictions Performance Considerations
This has been markedly improved in Confluence 3.3. See CONF-16866.
Page Permissions and the Confluence Search Index
Modifying the page permissions requires reindexing all child pages, as well as comments and attachments on all those pages.
The reasons for this:
- Page permissions are stored on every item in the index
- When you search, a filter is applied to all items in the index which prevents you seeing content you don't have permission to see
- If the permission information on attachments wasn't updated when a page permission was changed, users who didn't have permission to view the attachment in Confluence would still see that attachment in the search results as well as some of its content
- To update any record in the index, you need to delete it from the index and re-add it (this is a limitation of Lucene)
Therefore, to update an attachment record in the index, even just to change the permissions, the attachment's content must be reindexed.
In the large majority of situations, this design should not be a problem. In large spaces with deep page hierarchies, it might be. Use performance logging for the index flush operation to assess the impact of changing a page restriction - try it on the space's home page, or a page with a lot of children, to see the performance impact of changing a page restriction.
Space Design Considerations
For some space designs, deep page hierarchies may be desirable. If possible, it's recommended to split spaces where it makes sense to do so, according to how your information is organized. One workaround – CONF-7089 – involves opening up access to just a few pages in a mostly-restricted space so as to "open" the space where space permissions close it. This may be a performance concern if the space, and attachments in the space, are large.
There are a few workarounds to consider:
- Avoid page restrictions on large page hierarchies. If you have a large hierarchy you have to protect differently to other content in the space, consider moving the hierarchy to a new space. (Space permissions are applied in a manner that doesn't have this problem, but having a large number of spaces also causes scaling issues.)
- Disable page permissions completely. You can do this on a space-by-space basis by not granting the "Restrict" permission in the space permissions screen.
- Turn off attachment content indexing. See How to disable indexing of attachments or Configuring Attachment Size for information on how to do attachment types or size limits.
Which Pages Have Restrictions?
A database query to show which pages in your instance have page restrictions:
SELECT DISTINCT content.contentid, content.TITLE as page_title, CONTENT_PERM.USERNAME as page_restriction_username, CONTENT_PERM.CP_TYPE as page_restriction_type FROM CONTENT_PERM, content WHERE CONTENTID IN (SELECT CONTENT_ID FROM CONTENT_PERM_SET WHERE ID IN (SELECT CPS_ID from CONTENT_PERM))
For page permissions:
select * from CONTENT_PERM CP inner join CONTENT_PERM_SET CPS on CPS.ID = CP.CPS_ID inner join CONTENT C on C.CONTENTID = CPS.CONTENT_ID where CP.GROUPNAME is not null;
For space permissions:
select distinct S.SPACEID, S.SPACENAME,PERMGROUPNAME from SPACEPERMISSIONS SP inner join SPACES S on S.SPACEID = SP.SPACEID where PERMGROUPNAME is not null and PERMGROUPNAME <> 'confluence-users' ;