mwang@atlassian.com 9574dabfb3a9 
Based on your "Latest Update" which describes Default Space Assignment, is there some way to define default permissions for this default guest assigment group?

The only ways I've found to define specific space permissions to users or groups is under /Space Permissions/, and none of the options enable defining a 'default permission set' for guests added via this 'default guest assignment group'.

The GUEST GROUP "confluence-guests-<org-name-string>" can not be saved or interacted with under /Space Permissions/Groups/ since this section is designed for 'Member Groups' only. This in turn blocks the ability to customize the default permissions for this group here. 

Its also impossible to add this guest default group under /Space Permissions/Guests/ because this section only accepts 'guest users'. It doesn't allow for 'guest group' to be added. 

Is there possibly another solution? 

The lack of setting default permissions on this feature unfortunately kills it out of the gate, unless Im overlooking something? 
Having all these guests automatically added but still requiring that we remember to go and individually customize and re-save guest permissions by user would be burdensome and unrealistic. 

Hopefully Im overlooking and obvious solution! But I have looked for a couple of hours now. 

Hey there,
do you have an ETA for this feature? We are looking to Confluence guest users at the moment. Putting users into groups is essential for user management. This applies to external users as well.

At the momentan we would have to add the manually or via API if at all possible.

I would like to add our name to the hat on this one. 

We absolutely need the ability to use groups so we can scale and segregate access into spaces for guests.

This should 100% function just like internal users, this should be straight-forward with the how it works, don't change the model - you already have a great system for User/Group/Permissions to spaces. 

Just make Guest Groups function the same exact way

• Do all of your guests always need to work within the same space? How do you manage it otherwise?
  • No, our guests are segregated by the companies they work for, we cannot have guests access the same space.
  • Right now because the tool only lets us use users for guests, manual entry.
  • We have users who are View and Edit – we have to manually assign this instead of doing this using Groups - such a pain!
• Do you assign different guest groups to different spaces?
  • Yes we have a naming standard and we build groups today, in hopes we can directly add the Guest Group to a Space
• Where do you expecting guest group space assignment to happen?
  • In the Space, on the Guest "tab", exactly like the internal user mechanism works today
• What is your expectation when new group members added or removed? Are they added or removed from the space?
  • My expectation would be how all the normal user/group functionality works today, no difference.
  • If a user is added to a group - they get access however that group has access
  • If a user is removed from the group, they no longer have access to anything 
  • If the group is removed from the space, then all users of that group are removed
• Do you have any conditions where a guest could be in multiple groups? What is the expectation when this occurs?
  • Yes, we could have a Partner vs a Customer as a guest.
  • I would create a group for the Partner - and apply access to that Partner Group - to whichever spaces they need

I'd be very happy if i could create groups of customers (for different companies) - create spaces for them and manage the guest access by a group name like "customer-confluence-guest" group

• Do all of your guests always need to work within the same space? How do you manage it otherwise? -> no, different guests, different spaces, in the moment per user, i'd like groups
• Do you assign different guest groups to different spaces? -> yes
• Where do you expecting guest group space assignment to happen? -> space setting
• What is your expectation when new group members added or removed? Are they added or removed from the space? -> new group members should have access to the space i set up for the group
• Do you have any conditions where a guest could be in multiple groups? What is the expectation when this occurs? -> maybe - for different types of users like "legal, engineering, secret project team etc.."

Hey all,

I wanted to jump in here, I hope you're all enjoying some of the enhancements we've made for making it a bit easier to manage guests at scale. While we continue to make progress in this area, I wanted to share a potential short term solution for those of you that are leveraging our Confluence REST APIs.

What I've heard, is that there is a need to assign all guests, within a group, access to the same space. While default space access is a really good start, there may be some edge cases around it (maybe multiple groups needing different sets of space access).

The existing APIs that I wanted to highlight that could be leveraged to build a custom solution around space assignment, would be the following:

• https://developer.atlassian.com/cloud/confluence/rest/v1/api-group-group/#api-wiki-rest-api-group-get
• https://developer.atlassian.com/cloud/confluence/rest/v1/api-group-group/#api-wiki-rest-api-group-groupid-membersbygroupid-get
• https://developer.atlassian.com/cloud/confluence/rest/v1/api-group-space-permissions/#api-wiki-rest-api-space-spacekey-permission-post

Leveraging those APIs we should be able to identify all guest users in a given group, and grant the required space permissions to "assign" space access for a guest (guests by default always be granted read:space, create:page, create:comment, and create:attachment on a given space).

Below is an example of a script that will use the APIs listed above to take a group name, lookup all of the guest users within that group, and assign the correct space permissions if possible (the space permission endpoint will return an error if the guest user already has a space assigned).

#!/bin/bash
groupName="[insert-group-name-here]" # The name of the guest group you want to assign spaces for
spaceKey="[insert-space-key-here]"   # The space key of the space you want to assign to your guests
hostname=[insert-confluence-domain-here] # The domain for your Confluence site

result=$(http GET "$hostname/wiki/rest/api/group")

groupId=$(echo $result | jq -r '.results[] | select(.name=="'$groupName'") | .id')

result=$(http GET "$hostname/wiki/rest/api/group/$groupId/membersByGroupId?expand=isExternalCollaborator")

guestIds=$(echo $result | jq '.results[] | select(.isExternalCollaborator==true) | .accountId')
guestIds=($guestIds)

echo "Start assigning space permissions on $spaceKey for ${#guestIds[@]} guests..."

for guestId in "${guestIds[@]}"; do    
(        
  if http --check-status --ignore-stdin POST "$hostname/wiki/rest/api/space/$spaceKey/permission" --raw '{ "subject": { "type": "user", "identifier": '"$guestId"' }, "operation": { "key": "read", "target": "space"}}' &>output.txt:; then            
    echo "✅ successfully assigned read:space on $spaceKey for $guestId"
    if http --check-status --ignore-stdin POST "$hostname/wiki/rest/api/space/$spaceKey/permission" --raw '{ "subject": { "type": "user", "identifier": '"$guestId"' }, "operation": { "key": "create", "target": "page"}}' &>output.txt:; then                
      echo "✅ successfully assigned create:page on $spaceKey for $guestId"            
    else                
      echo "❌ failed to assign create:page on $spaceKey for $guestId"            
    fi
    if http --check-status --ignore-stdin --meta POST "$hostname/wiki/rest/api/space/$spaceKey/permission" --raw '{ "subject": { "type": "user", "identifier": '"$guestId"' }, "operation": { "key": "create", "target": "comment"}}' &>output.txt:; then                
      echo "✅ successfully assigned create:comment on $spaceKey for $guestId"            
    else                
      echo "❌ failed to assign create:comment on $spaceKey for $guestId"            
    fi
    if http --check-status --ignore-stdin --meta POST "$hostname/wiki/rest/api/space/$spaceKey/permission" --raw '{ "subject": { "type": "user", "identifier": '"$guestId"' }, "operation": { "key": "create", "target": "attachment"}}' &>output.txt:; then                
      echo "✅ successfully assigned create:attachment on $spaceKey for $guestId"            
    else                
      echo "❌ failed to assign create:attachment on $spaceKey for $guestId"            
    fi        
  else            
    echo "❌ failed to assign read:space on $spaceKey for $guestId"        
  fi    
)
done

echo "Finished assigning space permissions on $spaceKey for ${#guestIds[@]} guests..."

Hopefully this information is helpful, if there are any questions, please reach out!

+1, hard to believe we need to manage hundreds or even thousands of users manually.

Hi all,

We are happy to announce that we have launched 2 new solutions for guest groups to be assigned to spaces.

1. Default Space Assignment: If all of your guests need to be added to the same space, you can leverage Default Space Assignment to assign newly added guests to the same Confluence space. Once the Default Space Assignment is set up, you no longer need to separately assign guests to a space (unless you would like to).
2. Guest Space Assignment with Automations: You can create and schedule an automation rule to assign (and unassign) existing and future guests to a designated space. Particularly useful for unassigned guests that have been added prior to the Default Space Assignment feature being launched. 

As a next step, we will be exploring allow guest groups to be identified in Automations so we can automate guest group assignment to a specific space.

If you have any questions, please feel free to leave them in the comments below!

Thanks,
Morgan, Confluence Product Manager

• Do all of your guests always need to work within the same space? How do you manage it otherwise?
  Yes, for now, but we do have plans to have different guests accessing a different space.
• Do you assign different guest groups to different spaces?
  We only have a single space for guests for now.
• Where do you expecting guest group space assignment to happen?
  On the space permission management screen. I.e. where you assign normal groups too.
• What is your expectation when new group members added or removed? Are they added or removed from the space?
  yes.
• Do you have any conditions where a guest could be in multiple groups? What is the expectation when this occurs?
  We don't (unless it'd be possible to have a guest access multiple spaces, what we'd possibly welcome).

Hi there,

• Do all of your guests always need to work within the same space? How do you manage it otherwise?
  • All guest users of one "use case" (e.g. project) only need to work in one space. But since we have different use cases, these groups would need to work in different spaces. If we have external users with the need to work in more than one space, then they get a user license.
• Do you assign different guest groups to different spaces?
  • yes, see above
• Where do you expecting guest group space assignment to happen?
  • in the project permissions, where you can already add guest users
• What is your expectation when new group members added or removed? Are they added or removed from the space?
  • yes, when the guest is added to the group and the group is permitted for a space, then the guest gets access to the space. Same with removal from the group.
• Do you have any conditions where a guest could be in multiple groups? What is the expectation when this occurs?
  • For us there's no need to put guests in more than one group, so I'd restrict the group count for guests to 1.

• Do all of your guests always need to work within the same space? How do you manage it otherwise? - Yes, we have one space which is for Guest access only. This makes it easier for our small group of writers to distinguish between internal or confidential info, vs external info
• Do you assign different guest groups to different spaces? We have different groups in different spaces. We have just migrated from server where Group access was used for space access. I can see at least 2 comments along these lines 'What is the point of the Space permissions > Guest users > Groups section if a guest group can't be added to the space? ' It seems groups are now more for product access, whereas in Server, they were for space access. Now it seems you need to be in a product access group, then an additional group for space access. I'm finding it hard to understand who has access to what now that the groups aren't really used for spaces..or are they? 
• Where do you expecting guest group space assignment to happen? Already should have been in place. This is how we did it in AD for Server. All guests in one group, that group only had access to one space. Why were we forced to upgrade to a inferior product (don't get me started on Cloud vs Server)
• What is your expectation when new group members added or removed? Are they added or removed from the space? This question doesn't make sense. Once removed from the group, they no longer have access wherever that group is used. 
• Do you have any conditions where a guest could be in multiple groups? What is the expectation when this occurs? We dont in our company, but we may have the very odd occasion where we need a guest to have access to say one page in a different space..and if the Group is only allocated to one space according to the current rules, this wouldn't work..in saying that, it is rare, and the page could be added to the 'guest' accessed space. 

Groups access will enhance security from several angles, a group could be created for a client or supplier and once no longer required the groups could have access revoked quickly, and it will also make removing using access where people leave, as it will be easier to identify them rather than looking for an email that might not contain a name.

Hi all,

Thank you for sharing your feedback. Our team is looking into this ask and designing a solution.

While we're working on the solution, we'd love to get additional clarification on the following questions:

• Do all of your guests always need to work within the same space? How do you manage it otherwise?
• Do you assign different guest groups to different spaces?
• Where do you expecting guest group space assignment to happen?
• What is your expectation when new group members added or removed? Are they added or removed from the space?
• Do you have any conditions where a guest could be in multiple groups? What is the expectation when this occurs?

Thank you!
Morgan

Ran into the same issue today. Where is the point of a guest groups when i cant assign them to individual spaces?

we have a license count for guests with 9.000. We can never assign all of them manually! We need AD Groups. It seemed only logical to me, that this is available. 

What is the point of the Space permissions > Guest users > Groups section if a guest group can't be added to the space? When I try to add a guest group here, it brings up a 500 error page stating "Group is a guest group and may not receive space-level permissions" with a JAVA stacktrace.

Guest user within a group would be much easier to manage. We have a situation where some of our suppliers are also our partners on certain projects, they do not need full access to most of our infrastructure of spaces but a collaboration  space is perfect for this, we create a new space for the collab work and then create a groups for external guests to work within, there may be several people working on a project over time so it would be easier to invite them as guest from a group so that certain parts of the spaces could be restricted to only certain users.

As guest only span a single space it would be good to have a guest user licence pack where more guests could be purchased once the 5 per user limit has been reached but at a cheaper price as guests will not be full users and only need access to a specific site during a project and never be required again

+1

We want to add guest users from several external companies, which are currently managed in a seperate Keycloak instance. Automatic user provisioning from Keycloak should work smoothly, as well as provisioning these users to a certain group. But not being able to grant permissions to this group makes it more or less useless for us.

Very much interested in this, will be a lot more tidy and easier to regulate whilst adding guest users as we mostly use groups for all of our space admin currently

Thanks for creating this request for me. This is imperative to security.  Adding groups is important because it allows me to know who is from which external client. The individual users, when adding guest access, tells me nothing of where they are coming from - no email, no group, nothing to know who they actually are. This could lead to accidentally adding the user to the wrong Space which is a HUGE issue.