Skip to end of banner
Go to start of banner

Using Parameter Restrictions - 4.x

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Some macros support Parameter Restrictions, offering a means to apply more granular restrictions. The Macro Security Managed Macros page details which macros support Parameter Restrictions and the parameters that are available.

For instance, the SQL macro supports the following Parameter Restrictions in addition to the "sql =" Use Restriction.

  • sql.datasource
  • sql.limit
  • sql.disableAntiXss
  • sql.querytimeout

The SQL macro's documentation explains what each of these parameters accomplishes, but the entry within the Macro Security app configuration screen is similar to what is described on the Using Use Restrictions  page.

There are some special caveats about Parameter Restrictions:

  1. A Parameter Restriction only applies when the user tries to change the parameter value to something different than the default.
  2. If a Parameter Restriction is defined for the limit parameter (available on the SQL, SQL File and SQL Query macros),  it is only put into effect if the user provides a parameter value that is greater than the Limit Rows Processed setting that an administrator sets in the SQL app's configuration.

Parameters that are "By Value"

Some of the Parameter Restrictions documented on the Macro Security Managed Macros page are noted as being "(by value)". This allows even more specificity about how the Parameter Restriction is to be applied.

For the SQL macro, only the datasource parameter is "by value." This means that you can add ".*" to the end of the parameter to have it apply to all names (of datasources, in this example) or you can add entries for one or more specific datasource names.

Parameter RestrictionWhat It Means...
sql.datasource.* = confluence-administrators

Only members of the confluence-administrators group can use the SQL macro with its datasource parameter set to datasources of any name.

sql.datasource.exampledb = confluence-administrators
sql.datasource.hr = hr-managers
Only members of the confluence-administrators group can use the SQL macro with its datasource parameter set to "exampledb" and only members of the hr-managers group can use the SQL macro with its datasource parameter set to "hr."



How Parameter Restrictions Work with Use Restrictions

The Parameter Restrictions are applied "on top" of the Use Restriction for that macro. In other words, unless the Trusted Spaces approach for macro security is being used, an "edit" page restriction must match (only) whatever userids and/or group names are referenced in both the Use Restriction condition and the Parameter Restriction.

The following table provides some examples of correct and incorrect combinations. In these examples, assume that userid "bswift" is not a member of any of the named groups.



  • No labels