Skip to end of banner
Go to start of banner

Using Use Restrictions

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Each macro that can be restricted must have a configuration entry. For example, the Cache macro might have an entry that looks like one of the following:

cache = *ANY
cache = confluence-administrators
cache = confluence-administrators, trusted-users-cache
cache = bswift
cache = space:DEMO

In the above example:

  • "cache" is the property key and the information after the equal sign (=) is the property value.
  • Both property keys and property values are case-sensitive.
  • Property values are a comma separated list of groups or userids, or space keys in the form of space:xxx where "xxx" is the space key.
  • Line 1 uses *ANY to denote that anyone can add and edit the Cache macro in Confluence content, effectively making its use "unrestricted."
  • Line 2 indicates that the Cache macro can only be added and edited by members of the "confluence-administrators" group. (Content using the Cache macro would require an "edit" page restriction indicating only members of the "confluence-administrators" group can edit the page.)
  • Line 3 indicates that the Cache macro can only be added and edited by members of either the "confluence-administrators" or "trusted-users-cache" group. (Content using the Cache macro would require an "edit" page restriction indicating that only members of the "confluence-administrators" group and/or "trusted-users-cache" group can edit the page.)
  • Line 4 indicates that the Cache macro can only be added and edited by the user "bswift". (Content using the Cache macro would require an "edit" page restriction indicating only user "bswift" can edit the page.)
  • Line 5 indicates that the Cache macro can only be added and edited on content residing in the space having a space key of "DEMO." (The space would require space-level permissions that indicate only trusted users and/or groups can add pages, blogs or comments. These trusted users and/or groups need not be listed in the properties file on the entry—like this one—that uses space-based Macro Security.)

You can also combine several of these into a single entry if you like, such as:

cache = confluence-administrators, trusted-users-cache, bswift

Parameter Restrictions

Some macros support Parameter Restrictions, offering a means to apply more granular restrictions. The Macro Security Managed Macros page details which macros support Parameter Restrictions and the parameters that are available.

For instance, the SQL macro supports the following Parameter Restrictions in addition to the "sql =" Use Restriction.

  • sql.datasource
  • sql.limit
  • sql.disableAntiXss
  • sql.querytimeout

You would need to look at the SQL macro's documentation to understand what each of these parameters accomplishes, but the syntax within the properties file is similar to what is shown above under Use Restrictions.

There are some special caveats about Parameter Restrictions:

  1. A Parameter Restriction only applies when the user tries to change the parameter value to something different than the default.
  2. If a Parameter Restriction is defined for the limit parameter (available on the SQL, SQL File and SQL Query macros),  it is only put into effect if the user provides a parameter value that is greater than the Limit Rows Processed setting that an administrator sets in the SQL add-on's configuration.

Parameters that are "By Value"

Of the above Parameter Restrictions, per the Macro Security Managed Macros page, only the "sql.datasource" parameter is noted as "(by value)". This means that you can add ".*" to the end of the parameter to have it apply to all names (of datasources, in this example) or you can add entries for one or more specific datasource names.

Parameter RestrictionWhat It Means...
sql.datasource.* = confluence-administrators

Only members of the confluence-administrators group can use the SQL macro with its datasource parameter set to datasources of any name.

sql.datasource.exampledb = confluence-administrators
sql.datasource.hr = hr-managers
Only members of the confluence-administrators group can use the SQL macro with its datasource parameter set to "exampledb" and only members of the hr-managers group can use the SQL macro with its datasource parameter set to "hr."

On this page:

How Parameter Restrictions Work with Use Restrictions

The Parameter Restrictions are applied "on top" of the Use Restriction for that macro. In other words, an "edit" page restriction must match (only) whatever userids and/or group names are referenced in both the Use Restriction condition and the Parameter Restriction.

The following table provides some examples of correct and incorrect combinations:

 

 

 

 

 

 

 

 

 

 

 

 

 

  • No labels