How to manage rights on your wiki

02 Dec 2019 5 min read
Written by Andreea Chirica, Communications and Support Specialist

Leave no room for error when it comes to which user or group of users can view, edit or perform other actions on your wiki with the XWiki rights management feature. It's natural to set permissions when one of your objectives is to protect sensitive or confidential information. In some situations, it can even be part of being compliant with internal/regional control regulations. Learn from this article about permissions types and their effects, basic rules for private versus open or public wikis, rights at page level, best practices for rights management on the main wiki and the possibly included sub-wikis.

1. What are the XWiki permissions and how do they function on your wiki?

The XWiki permissions system has been created to allow wiki administrators to control precisely what users and groups can do in the wiki. It offers various rights that can be allowed (or denied), such as: "View" (the ability to view pages), "Comment" (the ability to add a comment to a page), "Edit" (the ability to edit page content) and "Delete" (the ability to delete pages). There are also some special permissions: the ones that give more control to Administrator users or to those that would deal with programming or scripting actions on the wiki; or the ones that provide the right to create wikis or the right to register to a wiki (given to guest/unregistered users). Learn here more about each permission type.

For example, when having administration rights that user or group of users would automatically have the view, comment, edit and delete permissions with the added ability to permanently delete a page from the recycle bin. Or, when you allow a programming right, that user of group of users would have the rights listed before it: view, comment, edit, script, delete, admin.

When you start with a fresh wiki instance, there are already defined a set of rights: for example, at groups level, there are two default groups, one including the user/s with administrator rights, and one that involves all users from the wiki - "XWikiAllGroup".

Best practice about the XWikiAllGroup: You should not remove users from this group as they might lose access entirely to the wiki or they would not be able to see a specific customization of the color theme you would set on the wiki.

From the image below, you can see that the XWikiAdminGroup has explicit Program rights (thus the View unchecked rights become implicitly provided), and the XWikiAllGroup has up until Script rights. Improve your knowledge in terms of implicit and explicit permission or right denial by consulting the basic rules section from the XWiki documentation. Coming back to our example, for the moment, the unregistered users are still able to see your wiki. If you would like to make your wiki level Private with or without the registration right, or Public, but with confirmed registration, check the next point for more details.

Initial_rights_XWiki.JPG

2. What access rights to provide at wiki level?

When adding rights at wiki level, you would need to consider the strategy of your wiki in total. Is your wiki open to anyone? Or would you need to add some privacy by giving access to the wiki's pages only through registration? You could also need to protect your entire wiki or just one of the sub-wikis, by making them private. Depending on what you intend to use your wiki for, you have several options:

  • for a Public Wiki where everyone can perform actions like comment or edit, all you have to do is configure the permissions you wish to give to the Guest user, from the Rights administration page, as shown in the image below. From a security point of view, read here how you can keep your site open while preventing automated commenting by requiring guests to fill out a captcha before commenting.

Rights_for_public_wiki_comment_right.JPG

  • for a Public wiki where unregistered users would be able to see the wiki pages, but for more actions such as being able to comment or to edit, they would need to have an account, you can provide the View and Register rights. To add a confirmation step, here are the steps for configuring a Public Wiki with confirmed registration.
  • for a Private wiki where only logged in users would be able to see, comment or edit, you would choose the option Prevent unregistered users from viewing/editing pages, regardless of the page or space rights. However, the unregistered users now would need to be given the View right on the wiki Color Theme page, because otherwise, the users that are not logged in would see the default XWiki login page. Then, when they see the login page and they click on the menu drawer, the unregistered users might still be able to see some links to some related wiki pages, such as: Page Index, Application Index and Wiki Index. As an Administrator, you would need to go to those pages and deny the View right to unregisterered users for that page and its children. For examples of setting permissions at page level, check the next section of the article.

Remember that you could also mix the worlds, for example by having at the main wiki level a public wiki with confirmed registration or an open wiki, and one or multiple private sub-wikis.

3. How do I add permissions at page level?

3.1. Setting Rights for a Page and Its Children

If you have a page A and there are several other pages created as children of page A, you can set rights for page A (as parent) and the children pages can inherit the same rights. 

To edit the access rights for a page, simply navigate to that page, click the cog_button.png button, then on "Administer Page". You will be shown a preferences section with 2 options in the menu on the left under "Users & Groups":

Rights: Page & Children - allows to set the permissions scheme that will apply on the current page and all its children.

Rights: Page - allows to set the permissions scheme that will apply on the current page only.

Remove_rights_from_Wiki_index_page_and_children.JPG

3.2. Setting Rights for a Terminal Page

A terminal page is a wiki page that cannot have children and it is usually created by applications and scripts. Terminal pages don't have a "Preferences" document. This is the reason why, in order to set the access rights for a single page, you will have to click the editing pen icon, then choose "Access rights".

Tip: Note that permissions set at a wiki wide level will be overridden by permissions set at a page level, which have priority.

4. How do I apply rights on a main and multiple sub-wikis?

4.1. Main Wiki Access Rights

To change rights for the main wiki, log in as Administrator, click the DrawerMenuIcon.png button to open the drawer menu, then click on "Administer Wiki". In the wiki administration page, click on the "Rights" link from the vertical menu to the left. Next, select the users or groups for which you want to set a permission for. Note that if you are on the main wiki, you are editing the rights for global users and groups. Global user/groups are defined on the main wiki.

4.2. Sub-Wiki Access Rights

If you are editing rights on a sub-wiki level, you can choose Local users/groups which are users/groups defined for the sub-wiki only or Global users/groups. To change rights for a sub-wiki, log in as administrator on that sub-wiki, click the DrawerMenuIcon.png button, then on "Administer Wiki", then in the wiki preferences page, click on the "Rights" link in the vertical menu to the left. Select the local or global groups and users for which you want to set a permission. Note that unlike the main wiki, the "Script" right is set to default on sub-wikis, meaning that it is denied.

Tip: When an access right is allowed at one level for one user or group, it is explicitly denied for all other users or groups.

All in all, you now know that the XWiki permissions system provides the ability to set rights on a wiki level, at page level, for multiple cases, such as private versus public wikis. Thanks to the different levels of control offered by XWiki, it's easy to manage the access to actions like: read, edit, comment etc. Don't forget that by providing programmatic rights to a user or a group, you would give the ultimate control to a page, space or the entire wiki. Make sure to familiarize with the basic rules and enjoy this powerful feature.

You want to ask more questions about the XWiki rights management? Feel free to contact us.

You may also be interested in: