Your Confluence probably holds a lot of information.
Some of this will be open to everyone, but there are bound to be some documents and data that need to be protected more carefully.
This is where Confluence permissions take center stage.
From space permissions to individual page restrictions, you can choose how to lock down and protect your content. And we’re here to guide you through it!
So buckle up and let’s go: It’s time for another Ultimate Guide from AppFox – The Confluence Permissions edition.
What exactly are Confluence permissions?
Permissions allow you to control access to different areas within your Confluence.
Currently, there are three levels of permissions; (1) Global permissions, (2) Space permissions, and (3) Page restrictions.
Let’s dig a little deeper into each one.
Global Confluence permissions
Global permissions give you you control at site-level. We’re talking actions like whether a user can log in, or create a space.
To manage these permissions, you need to be a Confluence administrator or a system administrator.
Space permissions
If you’re a space administrator, you can set individual permissions for each of your Confluence spaces.
These might include granting (or removing) permission to add, edit, delete or view content within a space. Every space can have its own permissions.
You can apply space permissions to groups, users and anonymous users.
An ‘anonymous user’ is essentially anyone without a Confluence licence. It can be really useful to share content with anonymous users in certain situations – let’s say a team member who doesn’t have a Confluence licence (or can’t log in), or perhaps a partner organisation or agency you need to collaborate with. You might also grant viewing permissions for anonymous users if you want to share something publicly – like an external-facing product roadmap, or a report. However. If you’ve made your content available to anonymous users, this means that anyone on the internet can find it and view it. Your content will also appear in Google searches. And if you’ve granted space-level permissions, it means anonymous users can view all your pages in that space (unless you have applied specific page restrictions). So, before you grant permission for anonymous users to view content in your space, make sure you check the following:
- Is this content truly public-facing?
- What about the rest of the content in your this space?
- Have I locked down confidential or non-public pages using page restrictions?
Page restrictions
These are a bit different to permissions. Page restrictions enable you to control which users or groups can view or edit specific pages.
The default status of your Confluence pages is open, so if you need to restrict access to certain content, or prevent users from editing it, you’ll need to actively enable page restrictions.
This means a space could include both open pages (so let’s say non-confidential information), and restricted pages (which you may use for content which hasn’t been approved yet, confidential documents or high-risk data).
It’s worth remembering that when you restrict a page, all child pages under it will also carry the same restrictions. This means you can protect multiple pages in one go.
Using restrictions and permissions together
Page restrictions provide more targeted access control than space permissions.
If you grant space permissions to a user or group, they’ll be able to see ALL your pages within that space.
This is where page restrictions come in. You can use page restrictions to lock down certain content within a space. So, a user or group will still have site-wide access, except for those specific pages with restrictions.
Alex Ortiz, Atlassian champion and the face of ApeTech Tutorials, has a great analogy for the interplay between space permissions and page restrictions:
“Space permissions are basically the gate around your space. You’re gonna control who can come in and out of that gate. Once you’re in your space, you’re going to have access to a bunch of different pages. You can then manage at a page-to-page level – so every little item inside of that gated community… You can put a lock and a key on every single one of those little pages, little houses.”
How do you set page restrictions?
In the top right hand corner of any page in Confluence, you should see a small padlock icon.
Clicking on this will display the restrictions applied to that page.
Now if you want to change those restrictions, you’ll first need the correct space permissions.
If you’re a space admin, you’ll already have the ability to edit, add or delete page restrictions within your space(s).
If you’re not, then you’ll need to ask a friendly space admin to grant you permission.
(Quick note here before we move on: You can only customize space permissions on paid Confluence plans.)
Why are Confluence permissions and restrictions important?
Protecting your data has never been so important. (If you like facts and figures, then we went for a real deep into the costs and impact of data loss over in this piece: The Ultimate Guide to Data Classification.)
Thankfully, tools like permissions and page restrictions can help you guard against data leaks or mishandling. This is particularly valuable to Confluence Cloud users, who may have wider concerns around Cloud security.
When implemented correctly and well maintained, page restrictions can protect confidential or high-risk data from unauthorized users. Using them can also embed strong data handling processes across your organization.
Crucially, however, permissions and page restrictions have to be supported by your internal Data Protection and Information Security policies to be truly effective.
Everyone needs to be on the same page in terms of access control and security. This provides a good opportunity to remind your teams about the different types of data your Confluence holds.
Not all of your content is going to be high risk. There’ll be some information which occupies a middle ground – perhaps not public-facing, but not highly confidential either.
In these instances, users with restriction-related permissions will need a clear idea of how much they should protect this kind of data, and how. Should they simply restrict editing? Or viewing the page all together?
Take the time to regularly review your Confluence pages and provide this kind of guidance and support to your users.
If you’re a space admin, we’d urge you to carefully consider who you grant permissions to. Not everyone should have the ability to change or control page restrictions! Make sure any permissions you grant are in line with your organization’s Data Protection and Information Security policies. It’s also important to share guidelines around page restrictions, so that your processes are consistent, and so that users or groups are aware of their responsibilities.
How to manage permissions effectively
By now, you should be clear on what permissions and page restrictions are, and why they’re important.
But how can you use them as effectively as possible?
You want to manage permissions for multiple users: User Groups
Setting permissions for user groups is a handy way to manage access consistently (and to reduce your admin!).
Rather than editing individual users’ permissions, you can create groups of users.
Let’s say, for example, that you want a team of people to have access to a particular project space. You can make a user group, and then enable the relevant permissions. If people leave your organization, or a new starter joins your team, you can simply add or remove them from the user group.
Did you know you can grant access to guests in Confluence? This is a great new feature in Confluence Cloud, and ideal if you’re collaborating with external agencies or partners, but don’t want to make your content publicly available to anonymous users (e.g. anyone!). Guests are free of charge though there are limits on the number of guests you can invite in, and you can invite them to a single space. They’ll have default permissions at space-level, which are pretty limited. Viewing content, adding a page, and adding comments and attachments. From a security perspective, it’s probably a good idea to keep guest permissions to a minimum. If you do want to give them more freedom, however, then a space admin can customize their permissions.
You need to view a record of permission changes: Audit logs
If you’re an administrator, you can access audit logs to view changes that have been made to Confluence.
Depending on your administrator rights, you can view audit logs at either a site or space-level.
Doing this is useful for two reasons: One, if problems arise, you can check the log to view changes, access and actions, which may help to troubleshoot the issue(s). And, two, it provides a valuable record of changes made to permissions, which can be useful intel when you’re reviewing your data protection procedures or internal processes.
The audit log is available on both Confluence Cloud (paid plans only) and Data Center. There is some difference in the level of detail across each version – you can get a little more granular with the DC logs – but both provide a history of changes to global and space permissions.
You need to find out why someone has (or hasn’t) got permission: Inspect permissions
Sometimes users might question why they can’t access a page, or you may get a request from elsewhere in your organization to check a user’s permissions.
In these kinds of cases, it’s time to inspect the user’s permissions. Again, you can do this on both Confluence Cloud and Data Center.
There are a few ways to inspect permissions (dependent on which version of Confluence you’re using), but essentially you’ll end up with a report displaying which permissions the user has been granted/denied and at what level. You may also (again, depending on whether you’re using Cloud or DC) see insights such as whether a permission has been inherited, or why the permission has been granted.
You want to take your page restrictions to the next level: Compliance for Confluence
Page restrictions are great for doing what they say on the tin: Stopping users from editing or viewing a page.
But what if you could level that functionality up using data classifcation? What if you could automatically assign page restrictions for users or groups, based on a page’s risk level?
This is where data classification – and Compliance for Confluence – comes in.
Let’s take a quick step back.
What is data classification?
Put simply, data classification is where you apply levels to your content. A typical structure might look like this:
- Public: Information that poses no risk to the organization if disclosed
- Internal: Information that poses low risk to the organization if disclosed
- Restricted: Information that poses a medium/high risk to the organization if disclosed
Now, Confluence does offer some native features that you could use to assign classification levels to your pages.
For example, you could try Page titles. You might name your pages like this: ‘Employee Appraisals [RESTRICTED]’, or ‘Blog post [PUBLIC]’.
These titles might help users to gauge whether they should access or share the content. But without access controls or automatic restrictions, this isn’t a long-term or robust solution.
A similar solution would be to use Labels, which are key words which you can assign to your pages to categorize them. For example, you could label pages as ‘Internal’.
Whilst this helps you to organize your pages, it doesn’t provide the access control or automated actions that a dedicated data classification process does.
Page status (Cloud only): Designed to aid the content review process, you could use these macros to identify to apply data classification levels instead. Confluence enables you to rename or to create custom page statuses, so you could relabel them in line with your levels.
However, statuses only display when you open the page itself (instead of displaying on the side menu). You also can’t filter based on status, nor base any automation or workflows on them.
No, really what you need is a dedicated data classification tool, designed to automate, streamline and enhance your data protection processes.
Lucky Compliance for Confluence exists, eh? Let’s dig into it a little deeper here.
Using third party apps to protect your pages
As you probably know, the Atlassian Marketplace is packed with awesome apps to level up Confluence.
Compliance for Confluence is just one of those apps, and it provides a truly end-to-end classification process. It’s also made by us, AppFox (which you also probably already know!).
Compliance for Confluence comes with four classification levels as standard, but you can have up to 10. (We’d always recommend keeping your levels to a minimum to keep your process simple and sustainable, but we know your organization might have unique needs.)
Now, we’ve already talked about how data classification is another way to protect your Confluence data, alongside page restrictions and permissions. But the really clever thing about Compliance is that it can automatically apply page restrictions for users or groups, based on that page’s classification level.
Once a page level is assigned as ‘Confidential’, for example, your pre-defined restrictions are automatically applied to the relevant users or groups.
You can also manage these at a Space level, which means different teams can protect pages within their own spaces. Let’s say, that your HR team needed specific restrictions applied to pages classified as ‘Highly Confidential’ within their space. Instead of having to rely on general company-wide access, you can create a custom scheme for them, applied only to their HR space.
We dig really deep into Compliance for Confluence’s fantastic capabilities in our Ultimate Guide to Data Classification here – and we’d really encourage you to take a read if you get the chance. Though we’d also urge you to grab a biscuit and a coffee at the same time – we don’t call it the ultimate guide for nothing.
In closing
We hope you’ve enjoyed your tour of Confluence permissions and page restrictions.
Confluence’s ever-evolving capabilities and collaboration tools make it a really exciting tool to work in. And, with collaboration across your organization and even external partners, it’s increasingly important to manage, lock down and protect your sensitive and high-risk data.
Be sure to check out Compliance for Confluence as this will make data loss prevention a much smoother process in Confluence!
