Permissions best practices
There are several different strategies you can use for managing permissions in your site. The larger your site grows, the more important it is to make sure that your permissions strategy can scale with your organisation.
Granting permission to a space on an individual by individual basis may work well for small teams, but rapidly becomes unwieldy when your user base grows to thousands of people.
On this page, we provide our recommendations for the best ways to manage common permissions scenarios. Most of the advice boils down to:
- Keep Confluence as open as possible, it's designed to be open by default.
- Use groups over individual permissions wherever possible, to avoid headaches in the future.
On this page:
- Give people access
- I want everyone in my organisation to be able to log into Confluence
- I want everyone in my organisation to be able to view a space
- I want to give people in my team access to our space
- I want to give my team access to all our project spaces
- I want all the spaces in my site to have the same permissions
- I want to give external people access to my space
- Lock things down
- I want to check what a person can access in Confluence
- I need to prevent someone from accessing Confluence
- I need to prevent specific people from viewing a space
- I want to prevent people from seeing my work in progress
- I want to prevent people seeing part of a space
- I want share one page but keep the rest of the space private
- Delegate administration tasks
- The big questions
Related pages:
Give people access
I want everyone in my organisation to be able to log into Confluence
The best way to achieve this is to make everyone a member of a group that has permission to log in to Confluence, such as the default confluence-users group.
I want everyone in my organisation to be able to view a space
The best way to do this is to grant space permissions to a group that all users are a member of, such as the default confluence-users group.
If your site is not public (anonymous users do not have the 'Can Use' global permission, everyone must log in to use Confluence), you can also use the anonymous permission as an 'everyone' shortcut. This is useful if your groups setup is complex, and there isn't a single group that everyone is a member of. If you plan to make your site public in future however, it's best to avoid this workaround.
I want to give people in my team access to our space
Think about whether your space really needs to be private. If not, you can grant permission to a group that all users are a member of, such as confluence-users.
If it does need to be private, and your team is only going to be using this one space, it might be appropriate to grant permissions as individuals. That way you don't need to ask a Confluence Administrator to add people to groups. See Assign Space Permissions.
However, if your team needs access to multiple spaces, using a group is definitely the way to go, as it will save you a lot of time in future when people join or leave your team. See Adding or Removing Users in Groups.
I want to give my team access to all our project spaces
The best way to do this is to create a group, and grant that group permissions in each project space. When people join or leave your team, you only need to change the group membership, you don't need to edit the space permissions for multiple spaces. See Adding or Removing Users in Groups for more information.
It might be more work to set up now, but it will help you in the long term.
I want all the spaces in my site to have the same permissions
First, you should change the default space permissions, so that when a new space is created, it automatically gets your desired permissions.
For existing spaces, it is a little more laborious. You'll need to go to the space permissions screen in each space, and set your desired permissions manually.
If you have Confluence Data Center you can slightly speed up this process by applying the permissions from one space to multiple spaces. This is done on a group by group or user by user basis. There is no way to copy an entire set of permissions from one space to another. See Inspect permissions.
I want to give external people access to my space
If you don't want to make your site public, but you need to give people outside your company, such as a customer or contractor, access to your site, you will need to create user accounts for these people. We recommend creating a group specifically for these people, so that it is easy to remove their access later when it is no longer needed.
Lock things down
I want to check what a person can access in Confluence
In Confluence Data Center, you can Inspect Permissions to find out what a user can view.
I need to prevent someone from accessing Confluence
The best way to do this is to disable the person's user account. They will not be able to log in. See Delete or Disable Users to find out how to do this.
I need to prevent specific people from viewing a space
If you have Confluence Data Center, Inspect permissions for the person and the space, to find out exactly how they are being granted permission.
If their permission was granted as an individual, simply go to the space permissions and change their permissions. If their permission was granted via a group, you'll need to decide whether to remove them from the group, or to change the whole group's permissions.
I want to prevent people from seeing my work in progress
First, check who can view your page. It may be that only you, or your team can see the page due to space permissions.
If you do need to lock it down further, the simplest way to do this is restrict the page, so that only you, or your team, can view it. See Page Restrictions to find out how to do this.
Once you're ready to share your work, remove the restrictions. A notification won't be sent when you remove the restrictions. Notifications are only sent at the point you publish the page (this means that if you restrict a page to yourself, and publish it, anyone who is watching the space for new pages won't ever get a notification).
I want to prevent people seeing part of a space
The simplest way to do this is to use Page Restrictions. This is particularly useful when the pages are a work in progress, and will eventually be opened up for more people to view at a later date.
This approach is not foolproof. It requires people to remember to create future sensitive pages under the restricted parent page, and to avoid moving pages to a parent that is unrestricted. If the content is sensitive, and will always be restricted, consider moving it to a different space, and use space permissions to control who can see the pages.
I want share one page but keep the rest of the space private
This can be tricky, and introduces complexity that may be a problem later, because you are forcing Confluence to work in a way that is opposite to the way it is intended to be used.
Essentially you would need to organise your page hierarchy so that all pages are restricted, except the one you want to share. You would then change the space permissions to open up the space. You can then check who can view a page to make sure you've achieved the desired result.
Delegate administration tasks
I want to delegate space administration to a specific group of people
The best way to do this is to create a specific space administrators group. The benefit of using a group is that you can easily add and remove members, without needing to touch the space permissions for the spaces themselves.
If you need to create a sensitive space, that these people shouldn't be able to view or administer, simply edit the space permissions for that space, and remove the group's permissions.
I want to control who can create spaces
You can set which groups or individuals can create spaces in Global Permissions.
If you choose to limit who can create spaces, we recommend granting this permission to a group of champions, who can handle requests, create the spaces, and work with stakeholders to set up their space permissions in the most appropriate way for your organisation. These people don't need to be Confluence Administrators, they just need the Create Space global permission.
The big questions
What permissions should I give people?
This is going to depend on your organisation, and the type of work you are doing in Confluence. If collaboration is your goal, we recommend giving people full Add, Delete, and Restrict permissions, and granting Space Admin permissions to a handful of people, who can act as champions in the space, to perform tasks like creating templates, or customising the view.
In some industries you may need to prevent people from deleting or restricting content, for auditing or compliance reasons. If this is the case for your organisation, consider updating the default space permissions so that all new spaces are created with your ideal permissions.
The main use-case for your Confluence site also has an impact on how you will structure your permissions. Find out about using confluence for Technical Documentation, Knowledge Base articles, your Intranet, or Software Teams.
What should I do when someone leaves my team?
If most spaces in your site are open, chances are you don't need to do anything. However it's good practice to change the person's group memberships to match their new role. This might happen automatically, via your external user directory, or you may need to search for the user, and change their group memberships manually.
Once you've changed their group memberships, if you're a Confluence administrator and you have Confluence Data Center you can Inspect permissions to check what spaces the person still has access to, then edit their permissions for each space on the fly, to remove any individual permissions.
What should I do when someone leaves my organisation?
If someone leaves your organisation, usually you would disable their user account, either in Confluence, or in your external user directory.
You may want to tidy up any individual permissions they've been granted (just to reduce the number of people listed in your space permissions screens), but unfortunately there's no easy way to do this. If you're a Confluence administrator, and you have Confluence Data Center, you can Inspect permissions to check what spaces the person still has access to, then edit their permissions for each space on the fly, to remove any individual permissions.