App Security Scopes

Owned by Denny Miller
Last updated: Jun 05, 2024
3 min read

This page declares scopes for the privileged user, used across app requests. If you are looking for per-user scope restrictions, please see Permissions

This page lists the scopes declared in the app manifest.yml, explaining why each scope is required. Forge scopes and permissions are explained in detail in https://developer.atlassian.com/platform/forge/manifest-reference/scopes-product-confluence/#classic-scopes.

 

On top of per-app scopes and permissions, there are additional permissions that CSUMCloud expects the Privileged User (Configuring the Privileged user credentials ) to have, to allow the user to perform specific operations (For example, the privileged user must have permission to remove group members from a space if they wish to use the ‘Remove User’ operation).

 

Scopes

Scopes

Why required

Scopes

Why required

- storage:app

To allow App storage API (For Global Settings). Any setting stored are shown in System Admin Documentation

- manage:confluence-configuration

To allow view access for Confluence Global Settings. These include any global settings values, such as the System Info endpoint to allow Site base URL access (Used by the Privileged User to make site-internal fetch requests to perform space group operations).

- read:confluence-groups

Read access to view space groups.

- write:confluence-groups

Write access for space groups used in space group operations (Rename group/Delete group/Add or Remove group membership).

- read:confluence-space.summary

The ability to read Space metadata, used for retrieving SpaceKey and Groups of personal space(s). Read access prevents unauthorized space alterations.

- search:confluence

To allow Search users via cql, using the Search Users endpoint listed below.

- read:confluence-user

To allow Get user endpoint to load user names using stored user accountId configuration.

Permissions

Permission

Why required

Permission

Why required

- unsafe-inline

To allow inline styles

- "*.atlassian.net"

To grant access to Atlassian site, allows access of user profile icons (Upcoming Feature)

Privileged User Permissions

The list below is a collective total of permissions required. Please see the table below for detailed information on the reasoning (and usages) for each permission.

  • Permission to access the Confluence site ('Can use' global permission).

  • Permission to access the Confluence site ('Can use' global permission). Only content that the user has permission to view will be returned.

  • User must be a site admin.

  • 'Admin' permission for the space.

    • This is a per-space requirement for each space you wish to use CSUMCloud with.

  • 'View' permission for the space.

    • This is a per-space requirement for each space you wish to use CSUMCloud with.

 

Any further scope and permission information explanation can be found in the related Confluence Cloud REST API documentation.

Scopes below are for the Privileged User.

Permission

Why required

REST API

Permission

Why required

REST API

Permission to access the Confluence site ('Can use' global permission).

  • To retrieve the baseUrl of the site, allowing further

  • (This is primarily performed by the CSUMCloud app to allow the Privileged User to make the below requests).

Get System Info

User must be a site admin.

  • To search for Space Groups, allowing insight into group membership, and allowing user to select group for rename or deletion.

Search Groups by partial query

Permission to access the Confluence site ('Can use' global permission).

  • To view the group members of a selected space group

  • Used during Add/Remove group membership operations if a group has been selected to add/remove all members of a group into the selected space group.

Get Group Members

Permission to access the Confluence site ('Can use' global permission).

  • To retrieve a selected space group

Get Group

User must be a site admin.

  • To create a new space group

  • Used to create new space group during the ‘Rename Group' feature

Create Group

User must be a site admin.

  • To delete a selected space group

  • Used to delete the old space group during the ‘Delete Group’ feature

Delete Group

'View' permission for the space.

  • To retrieve the current space when accessing CSUMCloud through the SpaceSettings module.

Get Space

'View' permission for the space.

  • Used to copy over the Space Permissions to the renamed group during the ‘Rename Group’ feature.

Get Space Permissions

'Admin' permission for the space.

  • Used to copy over the Space Permissions to the renamed group during the ‘Rename Group’ feature.

Add Space Permission

User must be a site admin.

  • Used to add members to groups

Add User to Group

User must be a site admin.

  • Used to remove members from groups

Remove user from Group

Permission to access the Confluence site ('Can use' global permission). Only content that the user has permission to view will be returned.

  • Used to search for users during the Add/Remove user operations.

Search Users (Using CQL)

Permission to access the Confluence site ('Can use' global permission).

  • Used to check user group memberships when validating Permissions schema (See Permissions )

Get user group memberships

Permission to access the Confluence site ('Can use' global permission).

  • Used to load the user display name in the Permissions Global Settings tab.

Get User