Restrict viewing for Confluence Administrators?

ITops123
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 24, 2011

Our Leadership Team would like to set up a private community within Confluence to discuss sensitive topics.

We are able to restrict the pages for regular staff, but not for people with Confluence Admin rights. These people can see all pages, even when they are not in the list to view the space or a specific page.

We also tried using a private community in the Community Bubbles plugin, but this is also visible to Confluence Admins.

Problem: Many people on the tech team have Confluence Administrator access but should not be able to see the information discussed by the Leadership Team.

Question: Is there a way to restrict Confluence Administrators from seeing specific pages?

6 answers

1 accepted

0 votes
Answer accepted
ITops123
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 22, 2011

Here is what we did for the restricted space:

· Created an “Oops. That page is restricted” page to redirect to an unrestricted page in another space on the wiki.

· Installed Visibility plugin for {show-to} macro

· Modified restricted space layout:

o Added the following to the Header: {show-to:groups=confluence-administrators}

{html}<script>location.replace('http://DOMAIN/SPACEKEY/Oops.+Restricted+page')</script>{html}

{show-to}

Any confluence admin who needed access to the restricted space was removed from the confluence-administrators group, but retained sys admin privileges.

2 votes
Markus Pöhler January 10, 2019

I have managed to solve this as follows:

1. Create one dedicated Confluence User as global ADMIN account, name it however you want. 

2. Add this User to the global group CONFLUENCE-ADMINISTRATOR.

3. Login with this new user.

4. REMOVE any other user, that previously was a member of the group CONFLUENCE-ADMINISTATOR from the group CONFLUENCE-ADMINISTATOR. 

From now on the previous Admins, that arre usually authorized to manage users are just normal restrivted users without any admin previleges.

5. Go to the global settings -> "Global Permissions" page. 

6. Add the users that need elevated permissions to manage the confluence configuration and manage users & groups to the "individual users" pane and assign them the CONFLUENCE ADMINISTRATOR permission.

7. Logout and re-logon with one of the accunts you added the permission to in step 6. Now, this user has permission to manage setup, manage user accounts and group membership. BUT this user is NOT allowed to see or enter any SPACES or PAGES that he does not have explicitely permission to by adding the account or ANY group this account is member of to the space permissions. 

Conclusion: The CONFLUENCE-ADMINISTRATOR group has more previleges that pre-defined in the "Global Permission" page. There is something special about this group you can neither see or change. Individual users not member of this group but granted the "Confluence "Administrator" Permission in "Global Permission" Page have less previleges than this group has.

Disadvantage: The admin users defined this way have the ability to change all of that back again or add users to the CONFLUENCE-ADMINISTRATOR group and override this configuration. But if they are aware and don't, any spaces content is secured from previleged confluence users eyes as long they are not granted to access it.

:-)

Feedback if it works for you is appreciated.

Stéphane Gras April 16, 2019

Thanks for the info, I'm going to try that

Erik Ellingsson May 21, 2019

Thanks Markus for your description it was very valuable for me.

Augustin Luton July 10, 2019

Thank you also, that is a very reasonable approach. It works for us.

0 votes
Steve Meier August 30, 2018

I figured it out. It's working now.

 

 Okay, I won't be that guy who says it's fixed and not tell you what he did to fix it.

Here's what I found, I can't explain why, but it works.

There is apparently a difference between the permissions of users in the local confluence-admins group vs an AD synced group with the same exact permissions.

For example, we have an admin group that i'm part of that has Personal Space, Create Space(s), Confluence Administrator, System Administrator permissions. 

The local confluence-admins group has the same permissions. 

If i'm logged in with my account, if I click on the padlock, I get taken to a page that says I must request permission to view this page. 

If i log in with the admin account we have in the local confluence-admins group and do the same thing, it take me to the page info and I can remove restrictions.

Another confluence admin and myself have been looking at it for the last 10 minutes speechless trying to figure out why in the world this works. 

 

Hope that helps some of you.

0 votes
Sergey Svishchev
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 10, 2013

Considering how many ways there are for tech team to view page content (f.e. run some SQL code against backend database), consider using something like https://marketplace.atlassian.com/plugins/net.customware.confluence.plugin.vault

0 votes
Stephan Haslinger October 3, 2011

We had the same issue. Our admin users now have two seperate accounts. One with regular user rights and one with administration rights. They are asked to only login as admin when required.

So they won't see hidden pages by simply using Confluence.

0 votes
Jon Cotter
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 25, 2011

Try setting the view restrictions specifically on a page and see if that works. If you find that it does work for you, any child of that page will inherit its restrictions. I use this to prevent Admins from editing certain pages, not sure I have ever tried to restrict viewing though....

http://confluence.atlassian.com/display/DOC/Page+Restrictions

ITops123
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 25, 2011

Yeah, that doesn't work, unfortunately.

I am assuming that the answer to my question is, "you can't restrict viewing for confluence admins," but I wanted to ask here just in case.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events