Inspect permissions

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

Inspect permissions is an advanced permissions feature, and is only available in Confluence Data Center.

Confluence is open by default, but because of the layers of group, individual and anonymous permissions that can be applied, it can be challenging to find out exactly who can do what.  

Inspect permissions helps you:

  • troubleshoot permissions problems
  • audit who can do what in your site
  • apply the permissions granted to a user or group in one space to multiple spaces. 

It reveals a person's effective permissions, combining everything we know about their permissions in a way that can be easily interpreted. 

Troubleshoot permissions problems

Often you will need to find out why someone can or can't do something in Confluence. By inspecting permissions you can drill right down to the root of the problem. 

For example, someone reports to you that a teammate can see a space they shouldn't be able see. By inspecting permissions you can work out exactly what group memberships, for example, might be contributing. 

Inspect permissions via space administration

You need space admin permissions for the space you want to troubleshoot. 

To find out why someone can or can't view this space:

  1. Go to the space and choose Space tools > Permissions from the bottom of the sidebar
  2. Go to the Inspect permissions tab
  3. Enter the person's name or username.
  4. Leave the Page field blank (unless you need to investigate a specific page in this space). 
  5. Choose Show.

A table showing the person's effective permissions in this space will appear. Click one of the icons to go to the detail view, and find out exactly why they do or don't have that permission. 

If you choose to specify a particular page, the permissions explanations will also include information about any page restrictions. The icons will represent just that page, not the user's permissions for the entire space. 

Screenshot: Inspect permissions tab in Space Tools showing permissions for two users.  

Animation: Inspect permissions tab in Space tools showing permissions explanations for a user

Inspect permissions via the Global administration

You need Confluence Administrator or System Administrator global permission to do this.  You don't need to have permission to view the space itself. 

To find out why someone can or can't view this space:

  1. Go to Administration  > General Configuration > Inspect permissions.
  2. Enter the person's name or username.
  3. Enter the spaces you want to view.
  4. Choose Show

A table showing the users and spaces you searched for will appear. Click the link to see the detailed view, then click the icons to find out exactly why they do or don't have that permission. 

Screenshot: Inspect permissions in Global administration showing permissions for two users and three spaces.

Animation: Inspect permissions in Global administration showing searching for all spaces containing the word "project" and then viewing permissions explanations for a user. 

Inspect permissions for a group

You can also inspect permissions for a specific group. This can only be done via the global administration. 

To inspect permissions for a group:

  1. Go to Administration  > General Configuration > Inspect permissions.
  2. Choose the Groups tab
  3. Enter the group name.
  4. Enter the spaces you want to view.
  5. Choose Show

A table showing the groups and spaces you searched for will appear. Click the link to see the detailed view.

When inspecting permissions for a group, be aware:

  • We don't indicate when a group does not have the Can Use global permission, as we do for users. 
  • We don't show effective permissions for the group, as we do for users. We only show permissions directly granted to that group (not granted via membership of a parent group. This is only an issue if your external user directory has nested groups). 

Using wildcards in your search

When searching for users, groups, or spaces, you can use * as a wildcard. For example if you wanted to search for all spaces that contain the word project in their title, type *project and select Search for *project from the suggestions dropdown. 

Permissions explanations

The detail view shows the effective permissions for a single user or group in a space.  Click each icon to see a detailed explanation, as shown here. 

  1. Icons - icons indicate whether the user or group can or can't do this action. 
  2. Explanation - explains why the user can or can't do this action.
  3. Good to know information - provides additional information that may become relevant, for example that space administrators can grant themselves permissions they don't currently have. 

The purpose of these explanations is to provide a simple reason why someone can or can't do something in a spaceThe messages are designed to be short, and present the most relevant information first.

The table below contains a more detailed explanation of every message, including the conditions that trigger the message. 


See the full list of explanations...

Explanations about users

ExplanationMessage appears when...
Permission granted as an individual The user is listed in the space permissions for that space. 
Permission granted as a member of:The user is a member of a group, that is listed in the space permissions for that space. If the user is a member of multiple groups that are listed in the space permissions, we will list all of them. 
Permission granted as an individual and as a member of: The user is listed in the space permissions for that space, and is also a member of a group that is listed in the space permissions for that space. 
Permission granted to anonymous users, which means everyone will get this permission by default, including people who are not logged in.

The permission is granted to anonymous users in this space, and your site is public (you have granted anonymous users the Can use global permission).

Logged in users can't have fewer permissions than anonymous users.  

Permission granted to anonymous users, which means everyone who is logged in will get this permission by default.

The permission is granted to anonymous users in this space, but your site is not public (anonymous users do not have the Can use global permission). 

Logged in users can't have fewer permissions than anonymous users. This is sometimes used as a shortcut way to provide 'everyone' with space permission, without making the site itself public. 

No permission granted as an individual or as a member of a group. The user isn't listed in the space permissions for that space, they are not a member of a group that is listed in the space permissions for that space, and anonymous has not been granted any permissions. 
This person doesn't have the Can use global permission, so they can't log in to Confluence. This user exists in the user directory, but doesn't have a Confluence license seat.  They are not a member of confluence-users or another group that has the 'Can use' global permission. 
This person is a Confluence administrator so could grant themselves this permission.The user, or a group they're user is a member of, has Confluence Administrator global permission. This means they can recover permissions for a space they don't have permission to see, and then change the permissions for that space.  Unlike members of the confluence-administrators super group, they can't see the space by default. 
This person is a space admin, so could grant themselves this permission. The user has space admin permissions in this space. This means they can modify permissions for this space, and could grant themselves any permissions they don't currently have. 
This person is a space admin, so can edit restrictions. They can also remove all restrictions from pages they don’t have permission to edit or view.The user has space admin permissions in the space. This means they can always change page restrictions (even if they don't have the Restrict permission), and can access a list of all restricted pages in the space, and remove all restrictions from these pages. 
This person has Delete own permission so can delete their own pages, blog posts, comments, and attachments.The user can delete pages, blog posts, comments, and attached files that they have created.  They can't delete pages, blog posts, comments, and attached files created by other users unless they also have Delete permission in the space.  For example the user can delete a page they created, but they cannot delete a page their team mate created unless they also have the Delete Page space permission. 

To add and delete restrictions this person also needs the Add page permission.

The user has Restrict permission, but does not have the Add page permission. Applying a page restriction is considered editing the page, so both permissions are required.
This person is a member of the confluence-administrators super group. This means they can view all pages, including restricted pages. While they can't edit existing pages, they can add, delete, comment, restore page history, and administer the space. The user is a member of the confluence-administrators group. This is a default group that has significant privileges in Confluence, beyond that provided by the Confluence Administrator or System Administrator global permission.   
This person can't log in because their account is disabledThis user exists in the user directory, but their account has been disabled. They don't have a Confluence license seat. This is usually because the person has left the organisation.  
Restrictions on <page title> prevent this person from viewing the page. 

A page restriction has been applied to the page. The user, or a group they're a member of, are not listed in the page restrictions dialog, so they have 'no access'.  

This message only appears when you inspect permissions for a specific page in a space. 

Restrictions on <page title> allow this person to view, but prevent them from editing the page.

A page restriction has been applied to the page. In the page restrictions dialog, either everyone can view or the user or group they're a member of can view, but only specific users or groups can edit. 

This message only appears when you inspect permissions for a specific page in a space. 

Restrictions on <page title> allow this person to view and edit the page. A page restriction has been applied to the page. The user, or a group they're a member of, are listed in the page restrictions dialog, and they have 'View and edit' access. 
Restrictions on <page title> allow this person to view the page. 

A page restriction has been applied to the page. The user can view the page, either because the page restriction allows everyone to view, and only some people to edit, or the user, or a group they're a member of, are listed in the page restrictions dialog, and they have "View only" or 'View and edit' access.

This message only appears when you inspect permissions for a specific page in a space, and click on a permission that doesn't require permission to edit the page, for example View, or Add comment. 


Explanations about groups

These messages appear when you select a group as the entity to inspect.  You need to be a Confluence Administrator to inspect permissions for groups. 

Permission explanationMessage appears when...
Permission granted to all members of this group. The group is listed in the space permissions for that space. 
Permission granted to anonymous users, which means everyone will get this permission by default, including people who are not logged in.

The permission is granted to anonymous users in this space, and your site is public (you have granted anonymous users the Can use global permission).

Logged in users can't have fewer permissions than anonymous users.  

Permission granted to anonymous users, which means everyone who is logged in will get this permission by default.

The permission is granted to anonymous users in this space, but your site is not public (anonymous users do not have the Can use global permission). 

Logged in users can't have fewer permissions than anonymous users. This is sometimes used as a shortcut way to provide 'everyone' with space permission, without making the site itself public. 

No permission granted to this group.The group isn't listed in the space permissions for that space, and anonymous has not been granted any permissions. 
This group doesn't have the Can use global permission, so people in this group may not be able to log in to Confluence.

This group exists but does not have the 'Can use' global permission. This is very common. Often one group, such as confluence-users is used to grant a Confluence license seat, and additional groups used only to manage space permissions. 

This is only an issue if a user is not a member of another group that grant them Can use permission. 

Members of this group are space admins, so could grant themselves this permission. The group has space admin permissions in this space. This means members of this group can modify permissions for this space, and could grant themselves or this group any permissions they don't currently have. 
Members of this group are space admins, so can edit restrictions. They can also remove all restrictions from pages they don’t have permission to edit or view.The group has space admin permissions in the space. This means members of this group can always change page restrictions (even if they don't have the Restrict permission), and can access a list of all restricted pages in the space, and remove all restrictions from these pages. 
Members of this group have Delete own permission so can delete their own pages, blog posts, comments, and attachments.Members of this group can delete pages, blog posts, comments, and attached files that they have created.  They can't delete pages, blog posts, comments, and attached files created by other users unless they also have Delete permission in the space.  For example the user can delete a page they created, but they cannot delete a page their team mate created unless they also have the Delete Page space permission. 
confluence-administrators is a super group. Members of this group can view all pages, including restricted pages. While they can't edit existing pages, they can add, delete, comment, restore page history, and administer the space.This is a default group that has significant privileges in Confluence, beyond that provided by the Confluence Administrator or System Administrator global permission.  
To add and delete restrictions people in this group also need the Add page permission.The group has Restrict permission, but does not have the Add page permission. Applying a page restriction is considered editing the page, so both permissions are required.
Delete own is only available to members of this group who have logged in.This message appears when Delete Own permission is granted to a group that doesn't have Can use global permission. It is just a reminder that people must be able to log in to delete their own content. 
This permission information may be incomplete because this group is a member of one or more parent groups. Permissions granted to parent groups are not shown here.

This message appears when the group is nested, that is, it's a member of another group. This hierarchy of groups comes from your external user directory.

We don't show any permissions that a group is inheriting from a parent group. You'll need to inspect these parent groups seperately.

Explanations about anonymous 

These messages appear when you select Anonymous as the entity to inspect.  Anonymous in this instance means people who have not logged in to Confluence. 

Permission explanationMessage appears when...
Permission granted to anonymous users.Permission granted to the anonymous entity listed in the space permissions for that space. 
No permission granted to anonymous usersNo permission granted to the anonymous entity listed in the space permissions for that space. 
Anonymous users don't have Can use global permission.  People must log in to use Confluence. All logged in users will inherit this permission by default.

The permission is granted to anonymous users in this space, but your site is not public (anonymous users do not have the Can use global permission). 

Logged in users can't have fewer permissions than anonymous users. This is sometimes used as a shortcut way to provide 'everyone' with space permission, without making the site itself public. 

Although Delete own permission can be granted to anonymous users, it has no effect.The Delete Own permission is assigned to anonymous users.  Because you need to be logged in for us to know who you are, and what you have created, Delete Own is never available to anonymous users, even when granted. 
Restrictions on <page title> prevent anonymous users from viewing the page. 

A page restriction has been applied to the page. Anonymous users have 'no access'.  

This message only appears when you inspect permissions for a specific page in a space. 

Restrictions on <page title> allow anonymous users to view, but prevent them from editing the page. 

A page restriction has been applied to the page. In the page restrictions dialog, everyone can view, but only specific users or groups can edit. 

This message only appears when you inspect permissions for a specific page in a space. 

This permission can't be granted to anonymous users.This is a reminder that some permissions, such as Space Admin, and Restrict are never available to anonymous users. 
Anonymous access is enabled globally.

This is a reminder that your site is public. Because you have granted anonymous users the Can use global permission, people do not need to log in to access Confluence.


Audit permissions 

If you need to regularly check who can do what in your site, for example for compliance or regulatory reasons, you can inspect permissions to conduct an audit. 

To export permissions information for all users and all spaces in your site:

  1. Go to Administration  > General Configuration > Inspect permissions.
  2. Choose your search criteria - you can search for particular users, groups, or spaces, include disabled accounts, or exclude users who have no permissions.
  3. Choose Show. This will give you an idea of how large your query is. 
  4. Choose Export.
  5. Keep the default separator. Comma separated is great for opening in most spreadsheet applications.
  6. Choose how you want spaces to be listed. This depends on how much information you want to include. You can include just the space key, or the title and description too. 
  7. Choose Export

The CSV file will be immediatley downloaded in your browser.  This can take a few minutes, depending on the size of your query. 

This file can be extremely large in sites with many users and spaces. You could use the wildcard search feature to limit the number of users to be included in each export. 

  1. Wildcard search - use a wildcard to narrow your search.
  2. Export - export the results to CSV for auditing or further analysis.


See an example...

This example shows the output for one user, and three spaces. 

  • A row will be created for each of the 14 space permissions that can be granted. 
  • A column will be created for each space in your query. These are identified by space key, but you can choose to include the space name and description in the export if you require it.  
  • T and F indicates whether the user has this permission (true) or they do not have this permission (false)
UsernameDisplay NamePermissionSPACE1SPACE2SPACE3
user1Sample User 1

view-space

TTF
user1Sample User 1

remove-own

TTF
user1Sample User 1

page-add

TTF
user1Sample User 1

page-remove

TFF
user1Sample User 1

blog-add

TFF
user1Sample User 1

blog-remove

TFF
user1Sample User 1

comment-add

TTF
user1Sample User 1

comment-remove

TFF
user1Sample User 1

attachment-add

TTF
user1Sample User 1

attachment-remove

TFF
user1Sample User 1

mail-remove

TFF
user1Sample User 1

page-restrict

TFF
user1Sample User 1

space-export

TFF
user1Sample User 1

space-admin

TFF

In this example Sample User 1:

  • Can do everything, including administer Space1
  • Can view, add, and delete their own content in Space2
  • Can't view Space 3 at all. 

Bulk apply permissions

Bulk applying permissions is useful when:

  • You create a new group, and want to give that group permissions to a number of existing spaces.
  • You need to grant someone permissions as an individual for a number of existing spaces. 
  • You have just created several new spaces, and want to use permissions from an existing space as a template.

We recommend using groups as an efficient way to manage permissions in your site. When someone new starts on your team, we would recommend making them a member of appropriate groups, over using the bulk add permission options to grant them permissions to all their spaces as an individual. 

Bulk apply permissions for a group

You need Confluence Administrator or System Administrator global permissions to do this. 

To give a group the same permissions in multiple spaces:

  1. Go to Administration  > General Configuration > Inspect permissions.
  2. Go to the Groups tab.
  3. Enter the name of the group.
  4. Enter the name of the space that you want to use as a starting point. 
  5. Choose Show, then click to see the detailed view. 
  6. Choose Edit.
  7. Make sure the correct permissions are selected. These are the permissions you'll be copying.
  8. Enter the names of the spaces you want to copy these same permissions to.  You can add as many spaces as you like. 
  9. Choose Apply
  10. Check the confirmation dialog to make sure all spaces were successfully updated. 

Screenshot: detail view of permissions for a group and space, with several spaces listed in the 'Apply to other spaces' field. 

Bulk apply permissions for a user

Before you do this, we recommend you inspect permissions to find out what permissions the user already has for the spaces you plan to update, paying particular attention to how the permissions are granted (individually, or via a group). In many cases the best approach is to change the user's group membership, or the space permissions granted to a group, rather than bulk applying changes to the individual. 

You need Confluence Administrator or System Administrator global permissions to do this. 

To give a user permissions in multiple spaces:

  1. Go to Administration  > General Configuration > Inspect permissions.
  2. Enter the name of the user.
  3. Enter the name of the space that you want to use as a starting point. 
  4. Choose Show, then click to see the detailed view. 
  5. The user's effective permissions are shown. These permissions are a combination of any individual and group permissions. Choose Edit.
  6. Make sure the correct permissions are selected. These are the permissions you'll be copying.
  7. Enter the names of the spaces you want to copy these same permissions to.  You can add as many spaces as you like. 
  8. Choose Apply
  9. Check the confirmation dialog to make sure all spaces were successfully updated. 


As a general rule, we recommend managing permissions using groups. If you do decide to bulk apply permissions for a user, there are some things to be aware of:

  • Permissions can only be granted to the user as an individual using this method. 
  • Any permissions the user has as a member of a group will be unchanged.  For example if they are a member of a group that has Export permission, and you bulk apply permissions that do not have Export permission, they will still have Export permission. Changing their individual permissions can't override their group permissions. 
  • The checkboxes, when you click Edit, reflect the user's current effective permissions - that is the combination of all the permissions they already have as an individual or member of a group.  When you click Apply, you'll apply these exact permissions as an individual. You may actually be doubling up on permissions the user already has, as a member of a group. 

Troubleshooting and known issues

General cache problems

Confluence caches permissions information, which helps to make sure results are returned quickly when you check who can view a page, or inspect permissions. We continually update the cache as people and permissions change.  However, we know of two scenarios where the cache is not correctly updated - when you import a site, and when you add, disable, or change the order of your user directories. 

If this happens, the best way to force Confluence to rebuild the cache is to disable the Inspect permissions - gatekeeper plugin, then re-enable it. Alternatively, you can restart Confluence, as the cache is built on startup. 

Export options limited in Internet Explorer 11

There's a known issue with the export dialog in Internet Explorer 11. The dialog is known to intermittently freeze if you select either of the dropdown menus. As a workaround, use the default values for the Separator and List spaces by fields, or use another browser to complete the export. 

Inspect permissions for a group only shows direct permissions

If your external directory has nested groups (a group is a member of another group), and you inspect permissions for a group, you'll only see permissions granted directly to that group (not effectively granted by being a member of a parent group).  If you search for a user, we'll always show the effective permissions, including those granted by parent groups. 

Excluding spaces with no permissions can take a long time in large sites

In the global Inspect Permissions screen, if you select "Don't show spaces that have no permissions for selected users" and don't specify any other filters (such as specifying users, groups, or spaces), the query can take several minutes to return any results.  This is particularly true in sites with a very large number of users and spaces. 

Last modified on Apr 20, 2020

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.