Privileged User Permissions

1 What Permissions are required?
2 What happens if the Privileged User lacks the Space admin permission?
- 2.1 How to resolve this problem
3 What happens if the logged in user lacks admin permission?
- 3.1 How to resolve this problem
4 How is access granted?
5 I cannot view the app?
6 Can I grant permission using Admin Key access?

This page details the minimum required permissions that the Privileged User account requires. In the scenario that the permissions are not met, the errors shown are also covered, along with solutions to resolve.

What Permissions are required?

In order for any Space admin to access and use the CSUMCloud app, the following requirements must be met:

The User tied to the Privileged User credentials must have Space Admin permission for the Space.
The logged in Space admin must be an admin of the Space.

For point 1, this is to allow the CSUMCloud app to perform Confluence Cloud REST API requests to retrieve the current Space.

For point 2, this is to allow the logged in user permission to view the Space Settings if a given Space, along with having the necessary permissions to view the app. (This is determined using Forge displayConditions).

What happens if the Privileged User lacks the Space admin permission?

In this scenario, the app will fail to retrieve the current Space, resulting in the following error being shown:

How to resolve this problem

The fix for this issue is to grant the Space Admin permission to the Privileged User for the Space shown in the error message on-screen.

This can be granted by assigning the Space Admin space permission for individual spaces.

Space Admin permission can alternatively be granted for a group, allowing multiple users (Space admins and/or the privileged user) to be granted the same permission. Ensure your confluence-admins-<SITENAME> group grants space admin permission. It is recommended that any Space you want any space admins to access CSUMCloud from should have this group added in the Space Permissions, with the Space Admin Permission enabled:

Adding this to your given Space will allow any Space admin that is a member of this group to have the Space Admin permission. If the Privileged User is added to this group, and the group is granted permission inside the Space, it is expected that the permission should enable the app to load.

What happens if the logged in user lacks admin permission?

In this scenario, the logged in user will be treated as a generic Confluence user. Due to the displayConditions applied, the CSUMCloud app will not be visible from the Space Settings page.

If the user lacks View Permission:

If the user lacks Space Admin Permission, the CSUMCloud integration will not be visible form the Space Setting page:

Note: If the Space admin is a Confluence Product admin, or has been granted User Access admin product role, they may still be able to view the CSUMCloud app.

This issue is related to https://jira.atlassian.com/browse/CONFCLOUD-65274 , where non-admin accounts can access the Space Settings. To prevent non-admin access of the CSUMCloud app, the displayConditions will prevent the app from being visible in this scenario.

How to resolve this problem

The fix for this issue is to make the logged in user a Space Admin of a given space that you want them to access the CSUMCloud app from.

If the app is visible after this, but results in an error, please follow the steps described in Privileged User Permissions | What happens if the Privileged User lacks the Space admin permission? to grant the relevant permissions for the Privileged User.

How is access granted?

As a Forge app, the permission to view the app is performed using Display Conditions: https://developer.atlassian.com/platform/forge/manifest-reference/display-conditions/ .

As this behaviour is performed by Atlassian, there is no per-user configuration to allow access to the app. Users without admin permission cannot load the app.

App module	Display Conditions

App module	Display Conditions
Space Settings	`isAdmin: true isSiteAdmin: true isSpaceAdmin: true`
Global Settings	`isAdmin: true isSiteAdmin: true`

I cannot view the app?

If the logged in user does not have admin permission matching the display conditions above, the CSUMC app will not load.

Please see Privileged User Permissions | How to resolve this problem if Space Admins are still experiencing issues accessing the app via Space Settings.

Can I grant permission using Admin Key access?

Atlassian have confirmed this as a bug, pointing to https://jira.atlassian.com/browse/CONFCLOUD-78914.

https://support.atlassian.com/confluence-cloud/docs/bypass-access-restrictions-on-a-page-with-admin-key/ allows per-page restrictions to be overridden when users request access to a page.

This only grants view permission. The privileged user must still have space admin permission for the given space.

We have an internal ticket ( https://thepluginpeople.atlassian.net/browse/CSUMC-130) which relies on https://jira.atlassian.com/browse/CONFCLOUD-78914 . We encourage customers to vote on this ticket if Admin Key access is desired with Forge apps.