Our Leadership Team would like to set up a private community within Confluence to discuss sensitive topics.
We are able to restrict the pages for regular staff, but not for people with Confluence Admin rights. These people can see all pages, even when they are not in the list to view the space or a specific page.
We also tried using a private community in the Community Bubbles plugin, but this is also visible to Confluence Admins.
Problem: Many people on the tech team have Confluence Administrator access but should not be able to see the information discussed by the Leadership Team.
Question: Is there a way to restrict Confluence Administrators from seeing specific pages?
Here is what we did for the restricted space:
· Created an “Oops. That page is restricted” page to redirect to an unrestricted page in another space on the wiki.
· Installed Visibility plugin for {show-to} macro
· Modified restricted space layout:
o Added the following to the Header: {show-to:groups=confluence-administrators}
{html}<script>location.replace('http://DOMAIN/SPACEKEY/Oops.+Restricted+page')</script>{html}
{show-to}
Any confluence admin who needed access to the restricted space was removed from the confluence-administrators group, but retained sys admin privileges.
I have managed to solve this as follows:
1. Create one dedicated Confluence User as global ADMIN account, name it however you want.
2. Add this User to the global group CONFLUENCE-ADMINISTRATOR.
3. Login with this new user.
4. REMOVE any other user, that previously was a member of the group CONFLUENCE-ADMINISTATOR from the group CONFLUENCE-ADMINISTATOR.
From now on the previous Admins, that arre usually authorized to manage users are just normal restrivted users without any admin previleges.
5. Go to the global settings -> "Global Permissions" page.
6. Add the users that need elevated permissions to manage the confluence configuration and manage users & groups to the "individual users" pane and assign them the CONFLUENCE ADMINISTRATOR permission.
7. Logout and re-logon with one of the accunts you added the permission to in step 6. Now, this user has permission to manage setup, manage user accounts and group membership. BUT this user is NOT allowed to see or enter any SPACES or PAGES that he does not have explicitely permission to by adding the account or ANY group this account is member of to the space permissions.
Conclusion: The CONFLUENCE-ADMINISTRATOR group has more previleges that pre-defined in the "Global Permission" page. There is something special about this group you can neither see or change. Individual users not member of this group but granted the "Confluence "Administrator" Permission in "Global Permission" Page have less previleges than this group has.
Disadvantage: The admin users defined this way have the ability to change all of that back again or add users to the CONFLUENCE-ADMINISTRATOR group and override this configuration. But if they are aware and don't, any spaces content is secured from previleged confluence users eyes as long they are not granted to access it.
:-)
Feedback if it works for you is appreciated.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for the info, I'm going to try that
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you also, that is a very reasonable approach. It works for us.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I figured it out. It's working now.
Okay, I won't be that guy who says it's fixed and not tell you what he did to fix it.
Here's what I found, I can't explain why, but it works.
There is apparently a difference between the permissions of users in the local confluence-admins group vs an AD synced group with the same exact permissions.
For example, we have an admin group that i'm part of that has Personal Space, Create Space(s), Confluence Administrator, System Administrator permissions.
The local confluence-admins group has the same permissions.
If i'm logged in with my account, if I click on the padlock, I get taken to a page that says I must request permission to view this page.
If i log in with the admin account we have in the local confluence-admins group and do the same thing, it take me to the page info and I can remove restrictions.
Another confluence admin and myself have been looking at it for the last 10 minutes speechless trying to figure out why in the world this works.
Hope that helps some of you.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Considering how many ways there are for tech team to view page content (f.e. run some SQL code against backend database), consider using something like https://marketplace.atlassian.com/plugins/net.customware.confluence.plugin.vault
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We had the same issue. Our admin users now have two seperate accounts. One with regular user rights and one with administration rights. They are asked to only login as admin when required.
So they won't see hidden pages by simply using Confluence.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Try setting the view restrictions specifically on a page and see if that works. If you find that it does work for you, any child of that page will inherit its restrictions. I use this to prevent Admins from editing certain pages, not sure I have ever tried to restrict viewing though....
http://confluence.atlassian.com/display/DOC/Page+Restrictions
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yeah, that doesn't work, unfortunately.
I am assuming that the answer to my question is, "you can't restrict viewing for confluence admins," but I wanted to ask here just in case.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
 
 
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.