Docy

Permissions Required for Atlassian Confluence

Permissions Required for Atlassian Confluence

When you grant access to the Atlassian Confluence app instance, Netskope seeks consent for the following permissions from the Atlassian account:

Permissions required by NetskopeDescriptionPurpose
offline_accessScope for getting refresh token.Periodically refresh access token after instance setup.
read:audit-log:confluenceView and export audit records for Confluence events.Retrieve and list Confluence audit log events under ​Skope IT > Application Events​​. The data is used to support features like User Entity Behavior Analytics.
read:confluence-userView user information in Confluence that you have access to, including usernames, email addresses, and profile pictures.In order to support features like inventory and scanning, Netskope requires ‘read’ permission for the following entities:

  • User

  • Group

  • Membership

  • Space

  • Label

  • Space Permissions

  • Page (including blog post)

  • Page Restriction

  • Comment

  • Attachment

  • Content (page + comment + attachment)

read:user:confluenceView user details.
read:confluence-groupsPermits retrieval of user groups.
read:group:confluenceView details about groups.
read:confluence-space.summaryRead a summary of space information without expansions.
read:space:confluenceView space details.
read:space-details:confluenceView details regarding spaces and their associated properties.
read:label:confluenceView labels associated with content or spaces.
read:space.permission:confluenceView space permissions.
read:permission:confluenceView space permissions.
read:confluence-content.summaryRead a summary of the content, which is the content without expansions. Note, APIs using this scope may also return data allowed by ​read:confluence-space.summary​​. However, this scope is not a substitute for ​read:confluence-space.summary​​.
read:confluence-content.allRead all content, including content body (expansions permitted). Note, APIs using this scope may also return data allowed by ​read:confluence-space.summary​​. However, this scope is not a substitute for ​read:confluence-space.summary​​.
search:confluenceSearch Confluence. Note, APIs using this scope may also return data allowed by read:confluence-space.summary and ​read:confluence-content.summary​​. However, this scope is not a substitute for ​read:confluence-space.summary​ or ​read:confluence-content.summary​​.
read:content:confluenceView content, including pages, blog posts, custom content, attachments, comments, and content templates.
read:content-details:confluenceView details regarding content and its associated properties.
read:page:confluenceView page content.
read:blogpost:confluenceView blog post content.
read:confluence-content.permissionView content permission in Confluence.
read:content.permission:confluenceCheck if a user or group can perform an operation on the specified content.
read:content.restriction:confluenceView the restrictions on content.
read:comment:confluenceView comments on content.
readonly:content.attachment:confluenceDownload attachments of a Confluence page or blog post that you have access to.
read:attachment:confluenceView and download content attachments.
write:confluence-contentPermits the creation of pages, blogs, comments, and questions.In order to support features like policy actions and remediation, Netskope requires ‘write’ permissions for the following entities:

  • Space Permission

  • Page (including blog post)

  • Page Restriction

  • Comment

  • Attachment

  • Content (page + comment + attachment)

write:content:confluenceCreate and update content and its associated properties.
delete:content:confluenceDelete content.
write:page:confluenceCreate and update pages.
delete:page:confluenceDelete pages.
write:blogpost:confluenceCreate and update blog posts.
delete:blogpost:confluenceDelete blog posts.
write:comment:confluenceCreate and update comments on content.
delete:comment:confluenceDelete comments on content.
write:confluence-fileUpload attachments.
write:attachment:confluenceCreate and update content attachments.
delete:attachment:confluenceDelete content attachments.
write:confluence-groupsPermits creation, removal, and update of user groups.
write:group:confluenceCreate, update, and delete groups.
write:content.restriction:confluenceUpdate the restrictions on content.
write:space.permission:confluenceUpdate space permissions.

You may have noticed that a few permissions are repeated (with a minor variation in name):

  • read:confluence-user and read:user:confluence

  • read:confluence-groups and read:group:confluence

  • read:confluence-content.permission and read:content.permission:confluence

  • readonly:content.attachment:confluence and read:attachment:confluence

  • write:confluence-content and write:content:confluence

  • write:confluence-groups and write:group:confluence

This is because Netskope requests both classic and granular scopes from Atlassian Confluence. While Netskope will use one of the permissions at a given time, Netskope requests both due to Atlassian’s continuous deprecation of v1 APIs, which primarily rely on classic scopes. As a replacement, v2 APIs primarily require granular scopes, and therefore, Netskope requires both classic and granular scopes to ensure seamless transition to v2 APIs.

Share this Doc
In this topic ...