View Source

Permissions determine the actions which a user is allowed to perform within Confluence. Global permissions are one of the levels of permission provided by Confluence.

In order to assign these permissions, you must already have the global 'Confluence Administrator' or 'System Administrator' permission (described below). You can then assign global permissions to groups, individual users and anonymous users. Further permissions are granted from the space administration screens.

On this page:

Overview of the Global Permissions

Global permissions control access across the whole Confluence site. Here is a list:

Global Permission	Description
Can Use	This is the most basic permission that allows users to access the site. Users with this permission count towards the number of users allowed by your license. See the information on removing/deactivating users.
Attach Files to User Profile	This allows the user to upload files to be stored in their user profile. This feature was made obsolete by the introduction of personal spaces in Confluence 2.2. Hence, this permission is no longer relevant. Attachments can be accessed from a user profile view (for example, an image within the 'About Me' field of a profile view) by attaching these files to a page within that user's personal space and referencing them using appropriate wiki markup code.
Update User Status	This allows the user to update their user status message, which can be seen on the user's profile, pages in their personal space and on various activity streams accessible to other Confluence users.
Personal Space	This permission allows the user to create a personal space.
Create Space(s)	This permission allows users to create new spaces within your Confluence site. When a space is created, the creator automatically has the 'Admin' permission for that space and can perform space-wide administrative functions.
Confluence Administrator	This permission allows users to access the Administration Console that controls site-wide administrative functions. Users with this permission can perform most, but not all, of the Confluence administrative functions. See the comparison of 'System Administrator' and 'Confluence Administrator' below.
System Administrator	This permission allows users to access the Administration Console that controls site-wide administrative functions. Users with this permission can perform all the Confluence administrative functions, including the ones which the 'Confluence Administrator' permission does not allow. Users with this permission are listed on the 'Site Administrators' page that is linked from 'Contact Administrators' in the footer throughout the Confluence site. See the comparison of 'System Administrator' and 'Confluence Administrator' below. Refer also to the note about the 'confluence-administrators' group below.

During the initial configuration of Confluence, the Setup Wizard asks for the username of the System Administrator. This user will have the 'System Administrator' permission and will be a member of the 'confluence-administrators' group.

Comparing the System Administrator with the Confluence Administrator Permission

New with Confluence 2.7 and later comes the ability to have two levels of administrator in Confluence:

System Administrator – Users with this permission can perform all the Confluence administrative functions, including the ones which the 'Confluence Administrator' permission does not allow.
Confluence Administrator – Users with this permission can perform most, but not all, of the Confluence administrative functions.

Tip: The two-tier administration is useful when you want to delegate some administrator privileges to project managers or team leaders. You can give 'Confluence Administrator' permission to users who should be able to perform most administrative functions, but should not be able to perform functions that can compromise the security of the Confluence system.

The following functions are excluded from the 'Confluence Administrator' permission:

Administration Screen	Excluded Function
General Configuration	The following functionality is disallowed: Server Base URL Remote API plugin External user management Public Signup
Daily Backup Admin	This function is disallowed entirely.
Plugins	This function is disallowed entirely.
Plugin Repository	This function is disallowed entirely.
Mail Servers	This function is disallowed entirely.
User Macros	This function is disallowed entirely.
Attachment Storage	This function is disallowed entirely.
Layouts	This function is disallowed entirely.
Custom HTML	This function is disallowed entirely.
Backup & Restore	This function is disallowed entirely.
SnipSnap Import	This function is disallowed entirely.
Logging and Profiling	This function is disallowed entirely.
Cluster Configuration	This function is disallowed entirely.

Comparing the Administrator Permissions with the confluence-administrators Group

The 'confluence-administrators' group defines a set of 'super-users' who can access the Administration Console and perform site-wide administration. Members of this group can also see the content of all pages and spaces in the Confluence instance, regardless of space permissions. They cannot see the content of pages for which they are excluded by page restrictions (restrictions can be removed by members of the confluence-administrators group in the Space Admin screen if need be). The settings on the 'Global Permissions' screen do not affect the powers allowed to members of this group.

Granting the 'System Administrator' or 'Confluence Administrator' permission to a user will not automatically grant the user access to all spaces in the site. These permissions will only give access to the Administration Console.

Be aware, however, that users with 'System Administrator' can add themselves to the 'confluence-administrators' group and become a super-user.

Going by the names, you would think the 'confluence-administrators' group and the 'Confluence Administrator' permission are related – but they are not. To resolve confusion, we want to make explicit that granting a user or group 'Confluence Administrator' permission is not the same as granting them membership to the 'confluence-administrators' group. Granting the 'Confluence Administrator' permission enables access to only a subset of the administrative functions. Granting membership to the 'confluence-administrators' group, on the other hand, gives complete access.

There is an outstanding request to remove the 'confluence-administrators' group from a future version of Confluence (see CONF-4616).

Updating Global Permissions

To edit the global permissions for a group or user,

Select 'Global Permissions' in the 'Security' section of the left-hand panel.
The 'View Global Permissions' screen appears. Click the 'Edit Permissions' button.
The 'Edit Global Permissions' screen appears, as shown below. Add or edit group and user permissions as follows:
- To add permissions for a group:
  1. First add the group to Confluence, if you have not already done so.
  2. Now on the 'Edit Global Permissions' screen, enter the group name in the text box labelled 'Grant browse permission to' in the 'Groups' section. You can click the magnifying glass to search for the group name.
  3. Click the 'Add' button.
  4. The group will appear in the list and you can now edit its permissions.
- To add permissions for a specific user:
  1. First add the user to Confluence, if you have not already done so.
  2. Consider adding the user to a group and then assigning the permissions to the group, as described above, instead of assigning permissions to the specific user.
  3. To assign permissions to a specific user on the 'Edit Global Permissions' screen, enter the username in the text box labelled 'Grant browse permission to' in the 'Individual Users' section. You can click the magnifying glass to search for the username.
  4. Click the 'Add' button.
  5. The username will appear in the list and you can now edit its permissions.
- To add or edit the permissions for a user or group:
  - Select the check box under the relevant permission and next to the relevant user/group. A tick in the check box indicates that the permission is granted. Click again to clear the check box and deny the permission.
- To allow anonymous access to your Confluence site, select the 'Use Confluence' and 'View User Profile' options in the 'Anonymous Access' section.
  For more information about these permissions, refer to Setting up Anonymous Access.
- Click the 'Save All' button to save your changes.

Screenshot: Editing global permissions

Confluence 3.3 > Global Permissions Overview > confluence-3-0-global-permissions.png

In Confluence 2.7.2 and later, Confluence will let you know if there is a problem with some permissions. In rare situations, you may see the following error messages below a permission:

'User/Group not found' — This message may appear if your LDAP repository is unavailable, or if the user/group has been deleted after the permission was created.
'Case incorrect. Correct case is: xxxxxx' — This message may appear if the upper/lower case in the permission does not match the case of the username or group name. If you see a number of occurrences of this message, you should consider running the routine supplied to fix the problem.

Overview of the Global Permissions

Comparing the System Administrator with the Confluence Administrator Permission

Comparing the Administrator Permissions with the confluence-administrators Group

Updating Global Permissions

RELATED TOPICS