Decide how to manage the space permissions of individual users.

For using an Extranet Space the extranet users need several Confluence permissions.

Since version 2.0 Space Privacy provides two options to give users access to Extranet Spaces

• Extranet permission groups (recommended)
• Single permissions

When to change the permission concept? 

If your infrastructure does not allow write permission for groups, we highly recommend to grant these rights. The ability to add groups to a direcotry user, does not mean that other user attributes (name, email, etc.) can be also modified - so there is no security risk (see User Directory Configuration for further information).

If, for whatever reason, you do not want to grant the required rights, then you have to use the 'Single permissions' concept.

 Please note that changing the permission concept is only possible, if no extranets exist so far. So if you already have Extranet Spaces, you have to convert them to standard Confluence spaces, which removes the given permissions and settings.

Our recommended way to use Space Privacy! Global Confluence and space permissions for extranet users are set via Confluence groups.

Extranet users gain their permission to use Confluence by being added to the 'extranet-users' group created by the app. On a space level extranet users get their space permissions by being added to one of the 'extranet permissions groups', which define the rights for extranet roles (e.g. 'Watcher'). A newly created extranet user will furthermore be part of the 'participant' group. This group can be used to get an overview over all directly created users in the extranet.

So if you create a user as 'Watcher' in an Extranet Space, the user will become a member of 3 groups: 'extranet-users', 'extranet-<SPACEKEY>-users-consumer' and 'extranet-<SPACEKEY>-users-extranet_participant'.

 Please note, that assigning a user via a Confluence group will only add the user to the 'extranet-users' group and not to the 'extranet permission group'

Why use extranet permission groups?

We recommend to use this permission concept because

• the global and space permissions view is way clearer
• you can use the 'extranet permission groups' to adress members of a role in an extranet
• the extranet user manager can used as a role between normal users and space administrator

As not all infratructures allow the writing permissions for groups or you simply do not want to grant this permissions, this is the way to go. All extranet user gain their rights by single permissions (global and space). So creating users in an Extranet Space will lead to global "can use Confluence" permissions and space permissions according to the selected role. For example creating a new extranet user as 'Watcher' will give a global 'can use Confluence' permission and the 'view space' permission to the user.

Removing an extranet user from an Extranet Space, will lead to a removal of global and space permissions for this user. This is not the case if the user has extended global permissions (e.g. 'Personal Space' permission) or is space admin in the extranet.

 Please note that the role 'extranet user manager' cannot be used with single permissions