-
Suggestion
-
Resolution: Low Engagement
-
None
NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.
For large confluence installation it is important to have RemoteAPI access to Confluence, but at the same time, it is not desirable to give the remote access to everyone and everywhere. For this reason a new permission that would control access to the remote API is needed.
It is unimaginable to have Confluence admins of big instances decide who should get the remote api access and for which space. Such a decision should be delegated to the space admins, which are the content owners for the given space and can make a qualified decision about the access via the RemoteAPI for their space.
For this reason a new space permission is needed. This space permission would be controlled as any other permission via the Space Admin -> Permissions view.
A patch with this functionality was developed against Confluence 2.x and the patch provided is rebased for 2.10.2. Patch was written in a minimalistic way in order to introduce minimal performance penalty and make it easy to port it between different confluence versions.
In our case we wanted to restrict access to global remote api calls only to confluence admins as well, so we created a patch for that too (attached as remote-api-admin-authorization.patch). It would be nice if this patch was rewritten so that an individual global permission to access these global methods exists too, but this isn't as important for us as having the space permission patch accepted to the confluence source base. I'm attaching both patches just to give you an idea of what we do. It's up to you if you decide to take the admin patch and rewrite it so that a global permission exists as well.
The order in which patches should be applied to confluence source base is remote-api-admin-authorization.patch -> remote-api-authorization.patch.
- relates to
-
- Gathering Interest
- mentioned in
-
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page")
Page
Failed to load
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[CONFSERVER-15160] Remote API Access Space Permission (PATCH)
Our company is in a similar situation, though very useful and powerful the remote API can be misused or possibly even dangerous in some hands. In our case turning it off isn't an option since we require it for a some admin functions that don't work well through the standard interface and have now started integrating other applications into the Wiki using this interface. Having a bit more control on who can use it would go a long way to resolving this.
Hello,
Thank you for submitting this suggestion. We appreciate you taking the time to share your ideas for improving our products, as many features and functions come from valued customers such as yourself.
Atlassian is committed to enhancing the security and compliance of our Data Center products, with an emphasis on sustainable scalability and improving the product experience for both administrators and end-users. We periodically review older suggestions to ensure we're focusing on the most relevant feedback. This suggestion is being closed due to a lack of engagement in the last four years, including no new watchers, votes, or comments. This inactivity suggests a low impact. Therefore, this suggestion is not in consideration for our future roadmap.
Please note the comments on this thread are not being monitored.
You can read more about our approach to highly voted suggestions here and how we prioritize what to implement here.
To learn more about our recent investments in Confluence Data Center, please check our public roadmap and our dashboards, which contain recently resolved issues, current work, and future plans.
Kind regards,
Confluence Data Center