Privileged User Permissions
This page details the minimum required permissions that the Privileged User account requires. In the scenario that the permissions are not met, the errors shown are also covered, along with solutions to resolve.
What Permissions are required?
Currently, the privileged user will require Site Admin permission to allow Group create/delete requests, or Group membership changes.
This is due to Group creation and Group membership REST APIs permissions being restricted to Site Admin only, due to Manage global permissions | Confluence Cloud | Atlassian Support.
Why is site admin required?
As per Atlassian Documentation, “Add or remove user groups” inManage global permissions | Confluence Cloud | Atlassian Support
Only site admins, user access admins, and organization admins can add or remove user groups from Confluence.
App Security Scopes | Privileged User Permissions also explains which REST APIs require site admin permission.
In order for any Space admin to access and use the CSUMCloud app, the following requirements must be met:
The User tied to the Privileged User credentials must have Space Admin permission for the Space (This user requires site admin permission to allow REST API calls for calls to update groups).
The logged in Space admin must be an admin of the Space.
For point 1
, this is to allow the CSUMCloud app to perform Confluence Cloud REST API requests to retrieve the current Space.
For point 2
, this is to allow the logged in user permission to view the Space Settings if a given Space, along with having the necessary permissions to view the app. (This is determined using Forge displayConditions).
What happens if the Privileged User lacks the relevant permissions?
In this scenario, the app will fail to retrieve the current Space, resulting in the following error being shown:
How to resolve this problem
The fix for this issue is to:
Ensure the user is Site Admin (See Manage global permissions | Confluence Cloud | Atlassian Support for more information).
Grant the Space Admin permission to the Privileged User for the Space shown in the error message on-screen. (This can be granted by assigning the Space Admin space permission for individual spaces.)
Space Admin permission can alternatively be granted for a group, allowing multiple users (Space admins and/or the privileged user) to be granted the same permission. Ensure your confluence-admins-<SITENAME>
group grants space admin permission. It is recommended that any Space you want any space admins to access CSUMCloud from should have this group added in the Space Permissions, with the Space Admin Permission enabled:
What happens if the logged in user lacks admin permission?
In this scenario, the logged in user will be treated as a generic Confluence user. Due to the displayConditions
applied, the CSUMCloud app will not be visible from the Space Settings page.
If the user lacks View Permission:
If the user lacks Space Admin Permission, the CSUMCloud integration will not be visible form the Space Setting page:
Note: If the Space admin is a Confluence Product admin, or has been granted User Access admin product role, they may still be able to view the CSUMCloud app.
This issue is related to https://jira.atlassian.com/browse/CONFCLOUD-65274 , where non-admin accounts can access the Space Settings. To prevent non-admin access of the CSUMCloud app, the displayConditions will prevent the app from being visible in this scenario.
How to resolve this problem
The fix for this issue is to make the logged in user a Space Admin of a given space that you want them to access the CSUMCloud app from.
If the app is visible after this, but results in an error, please follow the steps described in Privileged User Permissions | What happens if the Privileged User lacks the Space admin permission? to grant the relevant permissions for the Privileged User.
How is access granted?
As a Forge app, the permission to view the app is performed using Display Conditions: https://developer.atlassian.com/platform/forge/manifest-reference/display-conditions/ .
As this behaviour is performed by Atlassian, there is no per-user configuration to allow access to the app. Users without admin permission cannot load the app.
App module | Display Conditions |
---|---|
Space Settings | isAdmin: true
isSiteAdmin: true
isSpaceAdmin: true |
Global Settings | isAdmin: true
isSiteAdmin: true |
I cannot view the app?
If the logged in user does not have admin permission matching the display conditions above, the CSUMC app will not load.
Please see Privileged User Permissions | How to resolve this problem if Space Admins are still experiencing issues accessing the app via Space Settings.
Can I grant permission using Admin Key access?
Atlassian have confirmed this as a bug, pointing to https://jira.atlassian.com/browse/CONFCLOUD-78914.
Bypass page restrictions with admin key | Confluence Cloud | Atlassian Support allows per-page restrictions to be overridden when users request access to a page.
This only grants view permission. The privileged user must still have space admin permission for the given space.
We have an internal ticket ( https://thepluginpeople.atlassian.net/browse/CSUMC-130) which relies on https://jira.atlassian.com/browse/CONFCLOUD-78914 . We encourage customers to vote on this ticket if Admin Key access is desired with Forge apps.