Roles and permissions

Roles and permissions

Overview

The standard Confluence roles and permissions are used in Comala Document Management to manage workflow roles and also access to documents with an applied workflow. In addition, the app can add, remove, and set Confluence page-level restrictions.

Confluence hierarchy

The roles and permissions for both Confluence and workflows are based on the topology of Confluence itself.


Workflows, roles, and permissions exist at all three levels of the hierarchy.

Page refers to pages and blog posts.

Confluence permissions

For an overview of Confluence permissions, see Atlassian Confluence permissions and restrictions.

The following workflow trigger action macros can be used to change page-level restrictions as a response to a workflow event:

Confluence roles

These are the standard roles in Confluence, and how they relate to Comala Document Management.

Role

Notes

Role

Notes

Anonymous

Anyone who is not logged in to Confluence.

User

Must be logged in to Confluence.

Comala add-on user

Comala app user used for workflow

Space administrator

Responsible for

Global administrator

Responsible for:

The global administrator can set

System administrator

Responsible for

Workflow permissions

These are the permissions from the perspective of Comala Document Management:

Permission

Notes

Permission

Notes

View content

Users who can view the content

This requires all of the following Confluence permissions:

  • "Can use" – Global permission

  • "View" – Space permission

  • "View" – Page (or blog post) permission, or no page-level restrictions

Users who only have this permission are sometimes referred to as "Viewers", "View-only users", or "Read-only users".

Edit content

Users who can edit the content (including Admins)

This requires all of the following Confluence permissions:

  • The permissions listed for "View" above

  • "Add" – Space permission

  • "Edit" – Page (or blog post) permission, or no page-level restrictions

Workflow admin

Users who can administer the workflow at the content level.

This requires any of the following Confluence permissions:

  • System administrator

  • Global administrator

  • Space administrator

You can define additional Workflow Admin users, even if they don't have any of the three permissions listed above, by adding users to the adminusers property of the workflow macro. This grants the listed users the Workflow Admin permission for that particular workflow, and all the content it is applied to.

Workflow roles

Workflow roles relate to interactions with the content and the workflow applied to it:

Role

Notes

Role

Notes

Viewer

Consumer of content

  • Must have View content permission

Author

Responsible for producing (creating, editing) content

  • Must have Edit content permission

Assignee

A user who is

Assignment is optional by default, but can be required or prevented in the workflow or app configuration.

See:

Reviewer

Responsible for reviewing content.

See:

Must have Edit content permission

Reviewers can optionally be required to authenticate their identity prior to making a review.

See:

Approver or rejector

A Reviewer who has either approved or rejected content during a content review.

These can be used in some of the compatible third-party apps. The values can be accessed using the Workflow supplier or as a value reference.

In some elements of the user interface and macros, the term Approver is used to refer to a Reviewer or Assignee.

Producer

Collective term for Authors, Assignees, and Reviewers.

Namely, all users who have Edit content permission.

Workflow Admin

Can force workflows into a specific state on a page-by-page basis.

See:

Can remove stickylabels

See:

Must have Workflow Admin permission

When applying workflows at the space-level, Confluence administrators and space administrators can use the Initialize feature to bulk transition all documents for a given workflow into a given state.

Page mode

When a space is running in page mode, users with Edit content permission can apply a page workflow and edit the applied workflow using the page tools menu:

Space mode

When a space is running in space mode, a space workflow has been made active in the document management dashboard and applied to all the pages and blog posts in the space by a space administrator. On pages with the space workflow applied, there are no options for editors to add or remove the workflow:

App configuration

Setting

Use

Where

Notes

Setting

Use

Where

Notes

Workflow Activity and Drafts Visibility

Can users who only have View content permission (but not Confluence edit or admin permission) view documents in a draft workflow state when the workflow includes a final state?

  • Default setting: View-only users can only view the last approved version created on transition to the workflow final state (if present)

  • Option: Visibility set to let view-only users view content in a workflow draft state

See:

Tasks mode

Can users other than the task creator and assignee complete or assign tasks?

  • Default setting: Lenient. Any user with view and edit permission can complete a task

  • Option: Strict. If user is assigned, only the assignee can complete the task

Space workflows

Which spaces in the instance can use and apply space workflows?

  • Default setting: Any

Space workflows can be restricted to added space keys.

Page workflows

Which spaces in the instance can use and apply page workflows?

  • Default setting: Any

Page workflows can be restricted to added space keys.

Workflow Importer Group

Which Confluence administrators and space administrators can import workflows from the Workflows Exchange repository?

See:

Email any address

Can email addresses that are not associated with a Confluence instance be used in the send-email macro in a workflow trigger custom email notification?

 

Default view

When using same-space publishing, should users with Edit content permission see the draft or the last published (final state) version of content by default?

 

Testing roles and permissions

Whilst developing and testing workflows, it is useful to view the content from the perspective of another user – such as a Viewer, or a Reviewer – to check that the interface, permissions, notifications, etc., are working as you expect.

A third-party app, Switch User (SU) for Confluence, can be useful in this context. If you are more adventurous, you could probably do something similar using Adaptavist ScriptRunner.

Related pages

Need support? Create a request with our support team.

Copyright © 2005 - 2025 Appfire | All rights reserved.