mwang@atlassian.com 9574dabfb3a9 
Based on your "Latest Update" which describes Default Space Assignment, is there some way to define default permissions for this default guest assigment group?

The only ways I've found to define specific space permissions to users or groups is under /Space Permissions/, and none of the options enable defining a 'default permission set' for guests added via this 'default guest assignment group'.

The GUEST GROUP "confluence-guests-<org-name-string>" can not be saved or interacted with under /Space Permissions/Groups/ since this section is designed for 'Member Groups' only. This in turn blocks the ability to customize the default permissions for this group here. 

Its also impossible to add this guest default group under /Space Permissions/Guests/ because this section only accepts 'guest users'. It doesn't allow for 'guest group' to be added. 

Is there possibly another solution? 

The lack of setting default permissions on this feature unfortunately kills it out of the gate, unless Im overlooking something? 
Having all these guests automatically added but still requiring that we remember to go and individually customize and re-save guest permissions by user would be burdensome and unrealistic. 

Hopefully Im overlooking and obvious solution! But I have looked for a couple of hours now. 

Hey there,
do you have an ETA for this feature? We are looking to Confluence guest users at the moment. Putting users into groups is essential for user management. This applies to external users as well.

At the momentan we would have to add the manually or via API if at all possible.

I would like to add our name to the hat on this one. 

We absolutely need the ability to use groups so we can scale and segregate access into spaces for guests.

This should 100% function just like internal users, this should be straight-forward with the how it works, don't change the model - you already have a great system for User/Group/Permissions to spaces. 

Just make Guest Groups function the same exact way

• Do all of your guests always need to work within the same space? How do you manage it otherwise?
  • No, our guests are segregated by the companies they work for, we cannot have guests access the same space.
  • Right now because the tool only lets us use users for guests, manual entry.
  • We have users who are View and Edit – we have to manually assign this instead of doing this using Groups - such a pain!
• Do you assign different guest groups to different spaces?
  • Yes we have a naming standard and we build groups today, in hopes we can directly add the Guest Group to a Space
• Where do you expecting guest group space assignment to happen?
  • In the Space, on the Guest "tab", exactly like the internal user mechanism works today
• What is your expectation when new group members added or removed? Are they added or removed from the space?
  • My expectation would be how all the normal user/group functionality works today, no difference.
  • If a user is added to a group - they get access however that group has access
  • If a user is removed from the group, they no longer have access to anything 
  • If the group is removed from the space, then all users of that group are removed
• Do you have any conditions where a guest could be in multiple groups? What is the expectation when this occurs?
  • Yes, we could have a Partner vs a Customer as a guest.
  • I would create a group for the Partner - and apply access to that Partner Group - to whichever spaces they need

I'd be very happy if i could create groups of customers (for different companies) - create spaces for them and manage the guest access by a group name like "customer-confluence-guest" group

• Do all of your guests always need to work within the same space? How do you manage it otherwise? -> no, different guests, different spaces, in the moment per user, i'd like groups
• Do you assign different guest groups to different spaces? -> yes
• Where do you expecting guest group space assignment to happen? -> space setting
• What is your expectation when new group members added or removed? Are they added or removed from the space? -> new group members should have access to the space i set up for the group
• Do you have any conditions where a guest could be in multiple groups? What is the expectation when this occurs? -> maybe - for different types of users like "legal, engineering, secret project team etc.."

Hey all,

I wanted to jump in here, I hope you're all enjoying some of the enhancements we've made for making it a bit easier to manage guests at scale. While we continue to make progress in this area, I wanted to share a potential short term solution for those of you that are leveraging our Confluence REST APIs.

What I've heard, is that there is a need to assign all guests, within a group, access to the same space. While default space access is a really good start, there may be some edge cases around it (maybe multiple groups needing different sets of space access).

The existing APIs that I wanted to highlight that could be leveraged to build a custom solution around space assignment, would be the following:

• https://developer.atlassian.com/cloud/confluence/rest/v1/api-group-group/#api-wiki-rest-api-group-get
• https://developer.atlassian.com/cloud/confluence/rest/v1/api-group-group/#api-wiki-rest-api-group-groupid-membersbygroupid-get
• https://developer.atlassian.com/cloud/confluence/rest/v1/api-group-space-permissions/#api-wiki-rest-api-space-spacekey-permission-post

Leveraging those APIs we should be able to identify all guest users in a given group, and grant the required space permissions to "assign" space access for a guest (guests by default always be granted read:space, create:page, create:comment, and create:attachment on a given space).

Below is an example of a script that will use the APIs listed above to take a group name, lookup all of the guest users within that group, and assign the correct space permissions if possible (the space permission endpoint will return an error if the guest user already has a space assigned).

#!/bin/bash
groupName="[insert-group-name-here]" # The name of the guest group you want to assign spaces for
spaceKey="[insert-space-key-here]"   # The space key of the space you want to assign to your guests
hostname=[insert-confluence-domain-here] # The domain for your Confluence site

result=$(http GET "$hostname/wiki/rest/api/group")

groupId=$(echo $result | jq -r '.results[] | select(.name=="'$groupName'") | .id')

result=$(http GET "$hostname/wiki/rest/api/group/$groupId/membersByGroupId?expand=isExternalCollaborator")

guestIds=$(echo $result | jq '.results[] | select(.isExternalCollaborator==true) | .accountId')
guestIds=($guestIds)

echo "Start assigning space permissions on $spaceKey for ${#guestIds[@]} guests..."

for guestId in "${guestIds[@]}"; do    
(        
  if http --check-status --ignore-stdin POST "$hostname/wiki/rest/api/space/$spaceKey/permission" --raw '{ "subject": { "type": "user", "identifier": '"$guestId"' }, "operation": { "key": "read", "target": "space"}}' &>output.txt:; then            
    echo "✅ successfully assigned read:space on $spaceKey for $guestId"
    if http --check-status --ignore-stdin POST "$hostname/wiki/rest/api/space/$spaceKey/permission" --raw '{ "subject": { "type": "user", "identifier": '"$guestId"' }, "operation": { "key": "create", "target": "page"}}' &>output.txt:; then                
      echo "✅ successfully assigned create:page on $spaceKey for $guestId"            
    else                
      echo "❌ failed to assign create:page on $spaceKey for $guestId"            
    fi
    if http --check-status --ignore-stdin --meta POST "$hostname/wiki/rest/api/space/$spaceKey/permission" --raw '{ "subject": { "type": "user", "identifier": '"$guestId"' }, "operation": { "key": "create", "target": "comment"}}' &>output.txt:; then                
      echo "✅ successfully assigned create:comment on $spaceKey for $guestId"            
    else                
      echo "❌ failed to assign create:comment on $spaceKey for $guestId"            
    fi
    if http --check-status --ignore-stdin --meta POST "$hostname/wiki/rest/api/space/$spaceKey/permission" --raw '{ "subject": { "type": "user", "identifier": '"$guestId"' }, "operation": { "key": "create", "target": "attachment"}}' &>output.txt:; then                
      echo "✅ successfully assigned create:attachment on $spaceKey for $guestId"            
    else                
      echo "❌ failed to assign create:attachment on $spaceKey for $guestId"            
    fi        
  else            
    echo "❌ failed to assign read:space on $spaceKey for $guestId"        
  fi    
)
done

echo "Finished assigning space permissions on $spaceKey for ${#guestIds[@]} guests..."

Hopefully this information is helpful, if there are any questions, please reach out!

+1, hard to believe we need to manage hundreds or even thousands of users manually.

Hi all,

We are happy to announce that we have launched 2 new solutions for guest groups to be assigned to spaces.

1. Default Space Assignment: If all of your guests need to be added to the same space, you can leverage Default Space Assignment to assign newly added guests to the same Confluence space. Once the Default Space Assignment is set up, you no longer need to separately assign guests to a space (unless you would like to).
2. Guest Space Assignment with Automations: You can create and schedule an automation rule to assign (and unassign) existing and future guests to a designated space. Particularly useful for unassigned guests that have been added prior to the Default Space Assignment feature being launched. 

As a next step, we will be exploring allow guest groups to be identified in Automations so we can automate guest group assignment to a specific space.

If you have any questions, please feel free to leave them in the comments below!

Thanks,
Morgan, Confluence Product Manager

Do all of your guests always need to work within the same space? How do you manage it otherwise?

No. We use paid user.
Do you assign different guest groups to different spaces?

If they need to access to different space yes. Otherwise, no, only to one space.
Where do you expect guest group space assignment to happen?

Either in the same place as for the users, or best directly in the expected space.
What is your expectation when new group members added or removed? Are they added or removed from the space?

Yes of course is the user is not member of the group, he must be removed of the space
Do you have any conditions where a guest could be in multiple groups? What is the expectation when this occurs?

It can and for now we use paid user so he can access to multiple space. If the limitation is one space I think the solution is to limit guest to one group only.

• Do all of your guests always need to work within the same space? How do you manage it otherwise?
  Yes, for now, but we do have plans to have different guests accessing a different space.
• Do you assign different guest groups to different spaces?
  We only have a single space for guests for now.
• Where do you expecting guest group space assignment to happen?
  On the space permission management screen. I.e. where you assign normal groups too.
• What is your expectation when new group members added or removed? Are they added or removed from the space?
  yes.
• Do you have any conditions where a guest could be in multiple groups? What is the expectation when this occurs?
  We don't (unless it'd be possible to have a guest access multiple spaces, what we'd possibly welcome).

Hi there,

• Do all of your guests always need to work within the same space? How do you manage it otherwise?
  • All guest users of one "use case" (e.g. project) only need to work in one space. But since we have different use cases, these groups would need to work in different spaces. If we have external users with the need to work in more than one space, then they get a user license.
• Do you assign different guest groups to different spaces?
  • yes, see above
• Where do you expecting guest group space assignment to happen?
  • in the project permissions, where you can already add guest users
• What is your expectation when new group members added or removed? Are they added or removed from the space?
  • yes, when the guest is added to the group and the group is permitted for a space, then the guest gets access to the space. Same with removal from the group.
• Do you have any conditions where a guest could be in multiple groups? What is the expectation when this occurs?
  • For us there's no need to put guests in more than one group, so I'd restrict the group count for guests to 1.