Atlassian uses cookies to improve your browsing experience, perform analytics and research, and conduct advertising. Accept all cookies to indicate that you agree to our use of cookies on your device. Atlassian cookies and tracking notice, (opens new window)
Teams
, (opens new window)

Comala Document Management for Data Center
Results will update as you type.
  • Overview
  • Get started
  • User Guide
  • Workflow Authoring Guide
    • Workflow elements and concepts
      • Actions
      • Approvals
      • Conditions
      • E-Signatures
      • Events
      • Expiry Dates
      • Labels
      • Notifications
      • Page mode
      • Publishing
      • Read confirmations
      • Roles and permissions
      • Space mode
      • States
      • Tasks
      • Templates
      • Transitions
      • Triggers
      • Value References
      • Workflow Parameters
    • Macros
    • Using workflow builder
  • How to's and tutorials
  • Reporting Guide
  • Administration Guides
  • Developer Guides
  • Integration Guides
  • Migrating to Confluence Cloud
  • Release notes
  • Support
    You‘re viewing this with anonymous access, so some content might be blocked.
    /
    Roles and permissions
    Updated Sept 05

    Roles and permissions

    Overview

    The standard Confluence roles and permissions are used in Comala Document Management to manage workflow roles and also access to documents with an applied workflow. In addition, the app can add, remove, and set Confluence page-level restrictions.

    Confluence hierarchy

    The roles and permissions for both Confluence and workflows are based on the topology of Confluence itself.


    Workflows, roles, and permissions exist at all three levels of the hierarchy.

    Page refers to pages and blog posts.

    Confluence permissions

    For an overview of Confluence permissions, see Atlassian Confluence permissions and restrictions.

    The following workflow trigger action macros can be used to change page-level restrictions as a response to a workflow event:

    • Page:
      add-restriction macro — Add content view/edit permissions
    • Page:
      remove-restriction macro — Remove content view/edit permissions
    • Page:
      set-restrictions macro — Reset content view/edit restrictions

    Confluence roles

    These are the standard roles in Confluence, and how they relate to Comala Document Management.

    Role

    Notes

    Role

    Notes

    Anonymous

    Anyone who is not logged in to Confluence.

    User

    Must be logged in to Confluence.

    Comala add-on user

    Comala app user used for workflow

    Space administrator

    Responsible for

    • Setting space permissions for content access, editing, and deletion

    • Selecting which space workflows are in the space and whether they are active

    • Space-level app configuration, including workflow notifications.

    Global administrator

    Responsible for:

    • global workflows in the instance, and which workflows are active so they can be added to a space as a space workflow, and are available to add as a page workflow

    • app global configuration, including workflow notifications

    The global administrator can set

    • which spaces can use page workflows and space workflows

    • type of e-signature credentials required for reviewer authentication. The can also manage the expiry for existing user authentication app token or remove user authentication

    System administrator

    Responsible for

    • Installation, updating, or changing the Comala Document Management app in your instance

    Workflow permissions

    These are the permissions from the perspective of Comala Document Management:

    Permission

    Notes

    Permission

    Notes

    View content

    Users who can view the content

    This requires all of the following Confluence permissions:

    • "Can use" – Global permission

    • "View" – Space permission

    • "View" – Page (or blog post) permission, or no page-level restrictions

    Users who only have this permission are sometimes referred to as "Viewers", "View-only users", or "Read-only users".

    Edit content

    Users who can edit the content (including Admins)

    This requires all of the following Confluence permissions:

    • The permissions listed for "View" above

    • "Add" – Space permission

    • "Edit" – Page (or blog post) permission, or no page-level restrictions

    Workflow admin

    Users who can administer the workflow at the content level.

    This requires any of the following Confluence permissions:

    • System administrator

    • Global administrator

    • Space administrator

    You can define additional Workflow Admin users, even if they don't have any of the three permissions listed above, by adding users to the adminusers property of the workflow macro. This grants the listed users the Workflow Admin permission for that particular workflow, and all the content it is applied to.

    Workflow roles

    Workflow roles relate to interactions with the content and the workflow applied to it:

    Role

    Notes

    Role

    Notes

    Viewer

    Consumer of content

    • Must have View content permission

    Author

    Responsible for producing (creating, editing) content

    • Must have Edit content permission

    Assignee

    A user who is

    • assigned as a reviewer to an approval, or

    • assigned to a workflow task

    Assignment is optional by default, but can be required or prevented in the workflow or app configuration.

    See:

    • Who can be assigned, or assign users to an approvalPreview

    • approval macroPreview

    • task macroPreview

    Reviewer

    Responsible for reviewing content.

    See:

    • ApprovalsPreview

    • Content reviewsPreview

    Must have Edit content permission

    Reviewers can optionally be required to authenticate their identity prior to making a review.

    See:

    • Reviewer authenticationPreview

    Approver or rejector

    A Reviewer who has either approved or rejected content during a content review.

    These can be used in some of the compatible third-party apps. The values can be accessed using the Workflow supplier or as a value reference.

    In some elements of the user interface and macros, the term Approver is used to refer to a Reviewer or Assignee.

    Producer

    Collective term for Authors, Assignees, and Reviewers.

    Namely, all users who have Edit content permission.

    Workflow Admin

    Can force workflows into a specific state on a page-by-page basis.

    See:

    • Administrator state overridePreview

    Can remove stickylabels

    See:

    • workflow macroPreview

    Must have Workflow Admin permission

    When applying workflows at the space-level, Confluence administrators and space administrators can use the Initialize feature to bulk transition all documents for a given workflow into a given state.

    Page mode

    When a space is running in page mode, users with Edit content permission can apply a page workflow and edit the applied workflow using the page tools menu:

    • Apply a workflow to a single pagePreview

    • Add Workflow - page toolsPreview

    • Edit Workflow - page toolsPreview

    Space mode

    When a space is running in space mode, a space workflow has been made active in the document management dashboard and applied to all the pages and blog posts in the space by a space administrator. On pages with the space workflow applied, there are no options for editors to add or remove the workflow:

    • Apply a workflow to all the pages and blog posts in a spacePreview

    • Document Management - space toolsPreview

    App configuration

    Setting

    Use

    Where

    Notes

    Setting

    Use

    Where

    Notes

    Workflow Activity and Drafts Visibility

    Can users who only have View content permission (but not Confluence edit or admin permission) view documents in a draft workflow state when the workflow includes a final state?

    • Configuration - GlobalPreview

    • Configuration - space toolsPreview

    • Default setting: View-only users can only view the last approved version created on transition to the workflow final state (if present)

    • Option: Visibility set to let view-only users view content in a workflow draft state

    See:

    • Same-space publishingPreview

    • Activity Report - ContentPreview

    Tasks mode

    Can users other than the task creator and assignee complete or assign tasks?

    • Configuration - GlobalPreview

    • Configuration - space toolsPreview

    • Default setting: Lenient. Any user with view and edit permission can complete a task

    • Option: Strict. If user is assigned, only the assignee can complete the task

    Space workflows

    Which spaces in the instance can use and apply space workflows?

    • Configuration - GlobalPreview

    • Default setting: Any

    Space workflows can be restricted to added space keys.

    Page workflows

    Which spaces in the instance can use and apply page workflows?

    • Configuration - GlobalPreview

    • Default setting: Any

    Page workflows can be restricted to added space keys.

    Workflow Importer Group

    Which Confluence administrators and space administrators can import workflows from the Workflows Exchange repository?

    • Configuration - GlobalPreview

    See:

    • Import - GlobalPreview

    • Import - space toolsPreview

    Email any address

    Can email addresses that are not associated with a Confluence instance be used in the send-email macro in a workflow trigger custom email notification?

    • Configuration - GlobalPreview

     

    Default view

    When using same-space publishing, should users with Edit content permission see the draft or the last published (final state) version of content by default?

    • Configuration - space toolsPreview

     

    Testing roles and permissions

    Whilst developing and testing workflows, it is useful to view the content from the perspective of another user – such as a Viewer, or a Reviewer – to check that the interface, permissions, notifications, etc., are working as you expect.

    A third-party app, Switch User (SU) for Confluence, can be useful in this context. If you are more adventurous, you could probably do something similar using Adaptavist ScriptRunner.

    Related pages

    • Configuration - GlobalPreview  – Global app permissions

    • Configuration - space toolsPreview  – Space-level app permissions

    • NotificationsPreview  – Limit notifications to users, groups, workflow roles, etc.

    • PublishingPreview  – Prevent view-only users from seeing draft (unpublished) content

    Need support? Create a request with our support team.

    Copyright © 2005 - 2025 Appfire | All rights reserved.

    {"serverDuration": 13, "requestCorrelationId": "fb857d63b4cc443da14737aa7766a164"}