The user directories configured in your Confluence instance need to fulfill some requirements for Space Privacy to work correctly.
If the creation of (or a conversion to) an extranet space fails, check if all user directories are available. The Space Privacy app uses a Confluence mechanism which requires a valid connection to all user directories.
As a workaround you may temporarily disable the broken user directory.
Required user directory permissions
Space Privacy creates own groups to manage the permissions and visibilities between users.
Therefore, the user directories configured in your Confluence instance need to fulfill the following permission requirements:
- LDAP (at least "Read Only, with Local Groups") with Confluence Internal Directory
- LDAP (Read/Write)
- Crowd (Read/Write)
Check user directory permissions
After installing Space Privacy you will see a message showing you the status of your user directories. Click on the Check user directory permissions link.
Alternatively, navigate to Confluence administration → Space Privacy → Configuration → User Directories and select the User Directories Check option.
A detailed overview of your user directories will be shown here. This overview also shows if a user directory is compatible with Space Privacy.
If the status is set to WRITEABLE, the user directory is compatible with Space Privacy. If the status is set to READ ONLY, you might want to change it to WRITEABLE wherever the write permission is needed (for example for LDAP or Crowd).
Directories check results
All requirements are met
If all requirements are met, the User Directories Check will display a green affirmative message.
Some requirements are not met
If some requirements are not met, the User Directories Check will display a red warning message.
This doesn't have to be a problem. As long as you only assign users from "writable" user directories, Space Privacy will work fine.
If you allow extranet users to be created, make sure that the newly created users won't be stored in a "read only" directory.
No requirements are met at all
If all user directories grant only read-only permissions, Space Privacy will not work.
There are two options to fix this:
- Change the permissions of the user directories which are marked as read-only (next section)
- Activate the restricted mode
Space Privacy will inform you if you can only use the app in a restricted mode.
Restricted mode means that permissions for users in extranet spaces can only be assigned individually (and not to extranet groups).
Furthermore, there are some limitations using this mode
- The Extranet User Manager administrator role is not available.
- The creation of new Extranet users can only be done by administrators.
More information about the restricted mode
Please note that switching between restricted and unrestricted mode is not easy when Space Privacy is already in active use.
To activate the restricted mode, all extranet spaces must be transformed into default spaces.
Important: The space content will not be lost. Yay!
What is lost due to the conversion?
- All assigned users will lose their permissions to the spaces – except for the space admins.
- All permissions for the spaces will need to be set again.
How to enable the restricted mode
To enable the restricted mode, navigate to Confluence administration → Space Privacy → Configuration → User Directories. Then, click on the Restricted Mode headline to open the right sub-menu.
Select the Activated radio button.
If extranet spaces exist in your system, a warning will appear. You need to transform those extranet spaces into default ones.
To do so, click on the Convert extranet spaces to default spaces link.
You will be taken to another warning. Click on the Start conversion button.
Navigate back to Space Privacy → Configuration → User Directories → Restricted Mode.
Select the Activated radio button.
If your user directories support Space Privacy without restrictions, but the restricted mode is still enabled anyway, a note will be displayed that explains this.
Change user directory permissions
Confluence Internal Directory
This is the internal user directory of Confluence. Atlassian recommends to not disable it. Fortunately, this user directory never causes any problems for Space Privacy.
You can find more information about user directories here: Configuring User Directories.
If an LDAP is connected to your Confluence instance, you should edit the directory and activate the "Read only, with Local Groups" option. By default 'Read Only' is set.
Please note that this option is not necessary if you use the "Internal with LDAP-Authentication" configuration.
Jira Server / Crowd
There is no “Read Only, with Local Groups” option in Jira Server or Atlassian Crowd.
Follow this guide to configure this correctly.
Activate the “Read/Write” permission for the user directory (Jira Server or Atlassian Crowd).
Then, activate the option “Read Only, with Local Groups” in the tethered user directory.
Navigate to your Crowd directory and then the Connector tab. Now, allow local groups. To do so, activate the Manage groups locally button.
Add group permissions
Activate the Add group, Modify group and Remove group permissions.
On this page