Troubleshoot access problems at the space level

Sometimes users end up with too little or too much access. Or sometimes you just need to audit user access to reassure yourself that it's correct. Confluence offers helpful ways to troubleshoot access problems in your space.

What is the additive permissions concept?

Confluence operates on a model of additive permissions, which means that if someone has access to content in two or more ways, you always add up all the permissions from all of their sources of access.

For example, let’s say the group product-marketing has access to your space with the Collaborator role, but Omar, who is a member of the product-marketing group, should not be able to edit any content in the space, so someone explicitly added him as an individual with the Viewer role. This does NOT mean Omar is limited to the Viewer role.

Even though Omar is explicitly listed as a Viewer, he can still edit in the space because he’s a member of the product-marketing group, which is assigned the Collaborator role. Additive permissions means Omar gets the combined, greater access.

View all sources of access for a user

In the Users table, you can audit all sources of access a user has. For instance, a user may have explicit access to a space as an individual user but may also have implicit access to the space as a member of a group.

Someone can do something in your space that they shouldn’t

If someone is doing something in the space that they shouldn’t (i.e., editing, commenting, viewing), it’s likely because of additive permissions — the user actually has the permission through some other source.

To troubleshoot this, you can get a full picture of a user’s access by auditing all sources of their access to the space:

1. Go to Users in space settings.

2. Enter the user’s name in the search bar.

This will filter the list to show the individual user (if they’ve been explicitly added with a role) and any other groups and/or user classes they’re a member of that have a role in the space.

This represents a complete picture of the users' access, including all sources of access that apply to them.

From there, you can change the level of access for any of the sources, remove a source, or remove the user from the source (though, you’ll likely need an organization admin to do the last one).

Someone can’t do something in your space that they should

If someone can’t do something in your space that they should be able to do, they likely lack the permission to do it (if it’s not a bug). Which means you simply need to give them the permission.

To audit a complete picture of what their access currently is:

1. Go to Users in space settings.

2. Enter the user’s name in the search bar. This will collect all sources of access that apply to the user.

3. Select the info icon next to the role selector for each source and select View role permissions.

4. This will open a window that shows which permissions are associated with the role.

If the user's required permission isn’t checked in any of the access sources, you’ll need to change one of the sources to a role that includes the permission.

Recommendation: If one of the sources for the user is them as an individual (and not as a member of a group or a class), then it’s probably simplest to just change the role for their individual access to one that includes the permission you want them to have. Or if they don’t have individual access, you can add them.

If there isn’t an appropriate role to assign them, you can use a custom role to pick and choose exactly which permissions the user should have.