Confluence Groups

For Confluence administrators, grouping users in Confluence is a great way to cut down the work required when managing permissions and restrictions. Groups are also very useful, however, to anyone who's a space admin, or can apply page restrictions. 

If you're a space admin, you can assign a set of space permissions to a group rather than to each individual user. And as a page creator with 'Add/Delete Restrictions' permission, you can also add and remove page restrictions for groups.

Default Confluence groups

There are some default groups in every Confluence instance but, beyond that, Confluence administrators are free to set up and edit groups in any way they see fit.

The two special groups in Confluence are:

  • confluence-administrators  – Can perform most of the Confluence administrative functions, like assign permissions to other users, but they can't perform any functions that could compromise the security of the Confluence system. They can also access the Confluence Admin console.
  • confluence-users - this is the default group into which all new users are assigned. Permissions defined for this group will be assigned to all new Confluence users.

 

Anonymous Users

All users who don't log in when they access Confluence are know as 'anonymous' users. By default, anonymous users don't have access to view or change any content in your Confluence instance, but Confluence admins can assign permissions to this group if it's required.

Overlapping group and user permissions

When a user is assigned more than one permission, the more powerful permission will prevail.

Further explanation:

  • A user may be assigned a permission specifically to their username. They may also be assigned a permission by belonging to a group, or even several groups.
  • The user will then be able to perform all functions assigned to them.
  • So if a user is allowed to do something over and above what the group can do, the user will be able to do it. And if the group is allowed to do something over and above the specific permissions granted to the user, the user will still be able to do it.
  • If anonymous users are allowed to do something over and above what the user or group can do, the user will be able to do it, (even while logged in).

Was this helpful?

Thanks for your feedback!

33 Archived comments

  1. User avatar

    Steve Pence

    An important ommission to this documentation is how a space administrator can (or cannot) see the contents of a group. If he cannot see which users are a member of a group, he cannot decide which groups to use in assigning permissions. It appears that only Confluence Administrators can veiw this crucial information. If true, this page should say something like "Space administrators need to work with Conflunence Administrators to be advised on the usage of groups, since only Confluence Administrators can view and manage groups" If I am misunderstanding this limitation, and Space Admins can view groups, this page needs to say how, or provide a link to a page documenting how group info can be viewed.

    21 Sep 2009
    1. User avatar

      Anonymous

      Any user can view a groups membership by using the userlister macro.

      14 Mar 2010
  2. User avatar

    Anonymous

    Thank you for that information, but how does a space administrator edit a group once it has been added by a previous space administrator?

    06 Apr 2011
  3. User avatar

    Latif Nanji

    How does one use / get this userlister macro?

    08 Apr 2011
  4. User avatar

    Anonymous

    Is there a limit on the number of Anonymous users allowed to access your content? And do these Anonymous users require a true license if they cannot edit but just look around at your Wiki etc?

    09 Jun 2011
    1. User avatar

      Katie Maynard

      The way I understand Anonymous and how it works, the answer to  your question is: there is an unlimited number of Anonymous users allowed to access your wiki. They will not count against your user license.

      I would guard against allowing Anonymous users to comment, or post, create or write documentation to any space.

      30 Oct 2014
  5. User avatar

    Anonymous

    Confluence 3.5.1 Upgrade Issues - Embedded Crowd for large enterprises

    Have any other organizations with a large user base (15,000+) and number of groups had issues upgrading to Confluence 3.5.1 or Confluence 3.5.x?

    What steps or solutions were taken to overcome the obstacles in Atlassian's recent *change in user management (*Embedded Crowd)?

    We are looking for solutions that we could easily leverage without using unsupported third-party tools and developing custom scripts.

    Any advice on a Confluence 3.5.x or 3.4.x upgrade?

    09 Jun 2011
  6. User avatar

    Sam Hall

    Are there any plans to allow Space Admins to maintain a confluence group of their own? This could be achieved with the ability to assign owners to groups.

    If group owners could also assign and remove group owners from groups they own, this would make life so sweet for the Confluence admin. I'd only have to create the group and assign the first owner to it.

    28 Jul 2011
      1. User avatar

        Sam Hall

        Thanks, but that project doesn't seem very active.

        24 Sep 2012
  7. User avatar

    Anonymous

    Scenario: You want to give a client view-only access to a page or space within Confluence.  But, you also don't want just anyone (any other clients) to see the content being viewed.  At the same time, you don't want to blow through your user limits. 

    Does confluence offer a way for companies to assign secure access to view-only content without taking up a user toward the license subscription?  It is my understanding that 'Anonymous' access, while it would solve the user license issue, would leave content exposed to other Anonymous visitors.

    What would be your recommended solution?  Do we need to set up confluence access behind a company login (not necessarily a Confluence login) for clients?

    Thanks in advance,

    -Jeff "Anonymous"

    07 Oct 2011
    1. User avatar

      Sam Hall

      Giving anyone, staff or client, just view only access to a single page isn't really the forte of a wiki. I can't imagine Atlassian would get much call for this feature. I've recently found you can customise Confluence for your specific needs using the Confluence XML-RPC and SOAP APIs.

      If I had a request to do what you're suggesting, I'd consider using webservices or perhaps a script with Confluence CLI to grab the content of the page periodically or on demand.

      Cheapest solution I can think of is to script a grab of a PDF copy of the page and email it to them periodically. Any solution that requires the user to login will be a bit more complex, then for the effort you might as well just pay to upgrade your user licenses. Hope that helps.

      09 Oct 2011
  8. User avatar

    Anonymous

    Is there a way to list all the spaces a group has access to?

    Thanks in advance

    17 Nov 2011
    1. User avatar

      Anna Mikhaylova

      I have the same question...

      24 Jan 2012
      1. User avatar

        Anonymous

        I'd like to see an increased role selection. For instance, in higher education, many times we have IT or academic support folks who we don't want to be full administrators working with faculty and students. We'd like to see a sub-admin where we can assign that person to a space and that person would have the ability to create groups within the space. An example scenario: a faculty member teaching two sections of the same course, uses one wiki space, but would like to create groups from both sections that include students from both sections for each group. I think this is a very common practice in the course management world and I can't hardly believe that the wiki would not want this feature as well. We have many requests for this. Any chance there is a way to do this now and I'm just missing it?

        26 Jan 2012
  9. User avatar

    claire.simonson@ci.stpaul.mn.us

    I'm trying to figure out how to limit logged-in user's ability to add/edit pages yet preserve their ability to "Edit in Office' for Word & Excel attachments.  If I simply go into Space Admin and turn off Add Pages for the user group, the "Edit in Office" link disappears from pages in that space, for that user group.  Anybody have this figured out?

    17 Apr 2012
    1. User avatar

      Sam Hall

      Store all the documents on an unrestricted page, then use the Attachments macro to list the documents on the restricted page. The user will get the option to "Edit in Word" by clicking the cog and even upload more documents if you enable that option.

      18 Apr 2012
      1. User avatar

        claire.simonson@ci.stpaul.mn.us

        The Attachments macros appears to only feed in attachments from the current page - I tried specifying a different space (by its short name), no luck. 

        I also tried using the Include macro to display attachments from a less-restricted page - result was that the tighter restriction on the page with the Include macro apparently overrules the looser restriction in the 'included' list. The test user ID didn't have Edit ability on the page, nor 'Edit in Office' on the list of attachments.

        20 Apr 2012
  10. User avatar

    senthilkumar.L

    I need to add a new option "publish" in the Global permission Page for  "Groups". Please Suggest How can I implement this one?

     

    21 Jun 2012
  11. User avatar

    Olavo DSouza

    I am unable to log in to Confluence after I restarted the same. i chose to use JIRA Server for user managment for both JIRA and Confluence. I even tried to update the admin password in the database, but nothing seems to help. This happened after I happen to restart Confluence. Before that everything was working fine.

    01 Dec 2012
  12. User avatar

    Olavo DSouza

    I would like to add that this is fresh install of Confluence. I also tried a couple of other things like tuned of External Directory managment in the database itself, updated the index. etc.. but the 'admin ' user created during Confluence install time just cannot login

    . I could not find any place like ldap authentication being done twice. The logs just say the following:

    2012-12-01 14:45:42,119 INFO [http-8090-1] [confluence.security.login.DefaultLoginManager] recordLoginFailure

    Failed login attempt for user 'admin':

     

    ------------

     

    2012-12-01 14:19:15,521 WARN [http-8090-1] [atlassian.seraph.auth.DefaultAuthenticator] login login : 'administrator' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.

     

     

     

    01 Dec 2012
  13. User avatar

    Carsten Hoffmann

    So is it correct, that the confluence-administrators group has a special handling, that does not rely on the permissions? If I am a system administrator, but I am not part of the confluence-administrator group, there seem to be certain things that I can't do, which seems to make a fool of the whole permission system... This should be noted with a big warning sign!

    04 Mar 2013
    1. User avatar

      Luuk van den Broek

      I would like to know as well.

      We just ran into the problem that administrators cannot view restricted pages, even if they are in a custom admin group with full confluence and system permissions. However a user in the confluence-administrators group can view the same restricted pages. Version is 5.4.3

      25 Mar 2014
      1. User avatar

        Rachel Robins [Atlassian Tech Writer]

        Hi Luuk and Carsten, 

        In Confluence permissions can be granted to an individual or by being a member of a group. The default confluence-administrators group holds the Confluence Administrator global permission and the System Administrator global permission. 

        This means that members of the defaults confluence-administrators group are able to see all content, including restricted content, and access all administrator options - but this is granted by the System Administrator global permission. 

        Users with the Confluence Administrator global permission are able to access many admin functions (such as colour schemes, global templates etc) but not all.  They are also not able to see restricted content by default (they can however restore space admin rights to spaces, and recover permissions from restricted pages if necessary)

        If you're an OnDemand customer, the default group may be called administrators or confluence-administrators but only holds the Confluence Administrator global permission.  Only Atlassian staff administering the OnDemand instances have System Administrator global permissions in OnDemand. 

        It is also important to note that the group names do not matter, and in an installed instance of Confluence the group permissions may have been changed, or different group names used. 

        I hope this clarifies the situation a little for you. There is a comparison of the rights granted by the System Administrator permission vs the Confluence Administrator permissions here Global Permissions Overview

        25 Mar 2014
  14. User avatar

    Rakefet Zur

    Is there a way to define two sets of anonymous users? We have users that are allowed to read content during development stage, but a larger group that can read content only after it is released. Neither one of these users will be registered as a Confluence user because they cannot add/change content in any way.

    Is there a way to differentiate between these two groups?

    20 Feb 2014
    1. User avatar

      Rachel Robins [Atlassian Tech Writer]

      Sorry Rakefet, that's not possible - because anonymous users are not logged in, its not possible to identify them or group them.

      You could use space permissions to restrict anonymous access to particular spaces, and then enable it on those spaces once your content is ready to be released.

      Another option would be to allow your users to create themselves an account, but only grant them view access to content (this may impact on your licence user counts however). You would need to ensure that the default group that users are automatically added to on account creation (by default this is the confluence-users group) only has the permissions you would like these 'limited' users to hold. So although this solution might be effective, you'll need a fair
      bit of thinking and planning to get your groups and permissions right.

      Hope this helps

      20 Feb 2014
  15. User avatar

    David Wu

    we've used confluence more than 3 years, currently a confluence local user group (not confluence-users that link to LDAP) can only created by system admin, which is meaningful due to security reason. However I wish space admin can create and edit a space level user group or use a global user group design for a space with edit permission - space admin can add and remove group member. That will be very useful for space admin to set up space level permission using user group without asking help from system admin. 

    David Wu

    22 Oct 2014
  16. User avatar

    Francis Jones

    Is there any way for a Group to be mentioned on a page or a space using the @name function? See screenshot for example: 

     

    18 Mar 2015
    1. User avatar

      Giles Brunning [Atlassian Technical Writer]

      Hi Francis,

      You can't mention groups at this point, unfortunately. There's an open improvement request, which you can comment on and watch to get updates.

      CONF-23015 - Extend 'Mentions' to work with groups as well Open

      18 Mar 2015
  17. User avatar

    Nancy Beutels

    Is there a possibility to add the group "confluence-users" to ALL spaces at once? Now I have to go to each space and click "permissions" and add this role. I would like to do a bulk update for all my spaces.

     

    Thanks for a reply.

    Nancy

    21 May 2015
    1. User avatar

      Katie Maynard

      Hi Nancy,

      There is. But you need to have Confluence Admin capabilities. If you do,

      You access the Confluence Admin page > Space Permissions > under Default Space Permissions you will locate the list of the groups allowed to access all the spaces. If confluence-users is not there; and it should be, then you will need to Click Edit Permissions to add the user-group.

      Now, I also need to inform you that this only applies to all new spaces being created. So the fastest way to set the permissions is to follow the same path as above, but this time, scroll down to Individual Spaces, and click the Manage Permissions.

      21 May 2015
      1. User avatar

        Nancy Beutels

        Thanks for the answer (smile). It might be a CR I could request then - add a group to all EXISTING spaces.

        21 May 2015
Powered by Confluence and Scroll Viewport