Permissions Changes in 1.2
For Swan, changes were made to the way Confluence manages and checks permissions. This document is a guide for anyone migrating from Confluence 1.1.2 or earlier describing why the changes were made, and what this means to existing Confluence installations.
Why Change?
There were two goals behind changing permissions in Confluence:
- Fix a significant problem whereby users with external user management enabled could not also enable Confluence anonymous access without blowing out their 25-user workgroup license.
- Make the user interface for assigning and viewing permissions easier to use and understand.
What Changed?
"Anyone" User Removed
In Confluence 1.1.3, there was an "Anyone" user, who represented anyone using the system, whether logged in or not.
This user was the source of the licensing problem, and no longer exists in Confluence 1.2
Anonymous Permissions Added
Confluence 1.2 has explicit permissions for anonymous users. These permissions are only granted to users who are not logged in.
There is nothing stopping an administrator granting some permission to anonymous users, but not granting it to logged-in users. This results in the slightly bizarre possibility that a user might be able to do more before logging in than they can after. Luckily, this is a pretty easy situation for administrators to avoid.
Enabling anonymous access has no effect on Confluence's user count for licensing purposes.
Guard Permissions Added
The roles of the "Use Confluence" and "View Space" permissions have been expanded so that now they are required permissions before a user or group can be granted any more rights.
Before a user has access to anything in the Confluence server, they must first have "Use Confluence" permission, and likewise before a user has access of any kind to a space, they must first have the "View Space" permission.
For licensing purposes, your number of users is equivalent to the number of non-anonymous users with the "Use Confluence" guard permission.
Migrating from 1.1 to 1.2
Migrating Automatically
When you upgrade from Confluence 1.1, or when you restore a backup created in 1.1 into Confluence 1.2, an upgrade task will run to automatically migrate your permissions to the new scheme, while keeping them consistent with your 1.1 security settings. The task will make the following changes:
- All "Anyone" permissions will be converted into two separate permissions: one for Anonymous access, and one for the
confluence-usersgroup. (If theconfluence-usersgroup does not exist, this step will be skipped) - Any user or group with some global or space permission will also be granted the equivalent guard permission.
After starting up with the new version of Confluence, we suggest that you check that the permissions have migrated successfully. While we have tested the migration code, maintaining your site's security is important enough to warrant a double-check, just in case.
Migrating Manually
If the automatic migration does not complete successfully, which would most likely happen if you have removed the "confluence-users" group, you will need to perform the above steps manually, through the user administration interface.