Summary
For add-ons that have this option (see Supporting Add-ons table shown on the right), administrators can establish some spaces as being secure places for restricted macro capabilities. This allows administrators to use space permissions, rather than "edit" page restrictions, to control who can create or edit content that uses a restricted macro.
Use Case
An administrator has a space that already has space-level permissions governing who can create content in the space, limiting it to certain trusted users. The administrator would like to allow restricted macros to be used on pages in that space without needing to use "edit" page restrictions.
Syntax
The following syntax in the Macro Security add-on's configuration properties file will allow content within a space to be authorized without requiring a page restriction: space:SPACEKEY
This syntax can be used instead of or in addition to specifying trusted users and/or groups in the list of authorized entries. In addition, it can be used on Use Restrictions as well as the Parameter Restrictions in the configuration properties file. (Refer to the Understanding How Macro Security Works page for more information about Use Restrictions and Parameter Restrictions.)
sql = confluence-administrators, executive-management, space:BIZDATA, space:FINANCE
sql.datasource.bizData = space:BIZDATA
The meaning of the above configuration is as follows:
- Line 1
- Pages that have an "edit" page restriction to confluence-administrators or executive-management will be allowed to create or edit content using the SQL macro, and
- Any pages in spaces with keys BIZDATA or FINANCE will be allowed to use the SQL macro (with or without any specific "edit" page restrictions).
- Line 2
- Only pages in space BIZDATA can use the bizData datasource with the SQL macro. Other datasources can be used by authorized users in the BIZDATA space or other spaces.
Controlling access through space permissions
When configuring space-level permissions in spaces for which Trusted Spaces macro security has been configured, Confluence Administrators and Space Administrators must ensure that:
- Only users who are trusted to use that macro capability are allowed to edit content.
- Non-trusted users are not allowed to edit content.
If this criteria cannot be met or the space permissions need to be less strict, then do not use space-based macro security!
Examples
Assume that Macro Security has been configured to say that only content in the Demonstration space (spaceKey = DEMO) is trusted to use the SQL macro.
If page resides in a space with this spaceKey... | The rendering of the Panel macro will be... | The rendering of the SQL macro will be... | Notes |
---|
| successful | successful | The SQL macro is rendered successfully because the spaceKey of the space in which the page resides is a "trusted" one per the properties file. Note, however, that Macro Security will not validate the space permissions or the "edit" page restrictions in any way. |
| successful | unsuccessful Error: "Error rendering macro 'sql': Security restricted macro is not allowed. An edit restriction is required that matches the macro authorization list." | The SQL macro is rendered unsuccessfully because the spaceKey doesn't match a "trusted" spaceKey in the properties file. |