When I review an existing XWiki instance, I do not start by changing permissions. I first try to understand where access rules have accumulated over time.
Many XWiki permission issues are not visible from the homepage. Users can log in, pages can be edited, search can work correctly, and the wiki may still contain access rules that nobody fully understands anymore.
This usually happens slowly. A team needs access, a page is restricted, a group is created, an exception is added, an external user is invited, and after a few years the access model becomes difficult to explain.
In practice: the first review should not try to rebuild the whole permission model. It should identify risky areas, unclear exceptions, old groups and sensitive rights that need a closer look.
Where to start in a real XWiki instance
The first signs of a messy access model are usually simple: many groups with unclear names, rights assigned directly to users, restricted pages without an owner, old project spaces and powerful rights granted to people who no longer administer the platform.
At this stage, the goal is not to decide whether every permission is correct. The goal is to build a map: which areas are sensitive, where local rights exist, which groups matter, and which findings should be reviewed before the next upgrade, migration or authentication change.
The main point: a useful access-rights review should answer more than “can this user access this page?” It should also answer “why do they have access, which group grants it, who owns the area and when should this be reviewed again?”
For a broader view of security-related checks, see what an XWiki security review should actually include.
A practical first-pass audit
A first-pass audit should be safe and observational. Before changing anything in production, collect enough information to understand the current model and the areas that need attention.
- Do not change permissions before understanding why they exist.
- Identify the main areas of the wiki: open, internal, restricted, confidential and administrative.
- List the groups that seem to control access to these areas.
- Look for direct user rights and local page-level exceptions.
- Review admin, script and programming rights separately from normal edit rights.
- Document what is unclear instead of guessing.
1. Start with access areas, not individual pages
Before reviewing individual permissions, clarify what the wiki should look like from an access perspective. Otherwise, the review becomes a list of isolated technical checks without a clear target.
A simple access map is often enough. Separate the wiki into clear areas such as open internal knowledge, team spaces, restricted projects, confidential documents, technical administration pages and external collaboration areas.
| Area type | Typical access | First review question |
|---|---|---|
| Open internal knowledge | Most authenticated users can view, selected users can edit | Is this content really safe for broad internal access? |
| Team or project spaces | Team members can edit, others may only view | Are the groups still aligned with the current team? |
| Restricted projects | Only selected groups can view or edit | Is access granted through groups or individual users? |
| Confidential documents | Small controlled group | Who owns the restriction and when was it last reviewed? |
| Technical administration pages | Trusted administrators only | Are admin, script and programming rights limited? |
2. Review groups before reviewing pages
In most XWiki instances, groups should be the foundation of the permission model. Rights assigned directly to individual users are harder to maintain because people change roles, leave the organization or move between teams.
Start by reviewing which groups exist, what they are used for and whether their members still match the intended access model. Group names often tell part of the story: old project names, temporary access groups and unclear role names are good signals that the access model needs cleanup.
| Group signal | What it may indicate | First action |
|---|---|---|
| Old project groups | A project ended but access may still be active | Confirm whether the group is still needed |
| Inactive users | Former employees or old accounts may still have access | Remove from groups or deactivate according to policy |
| Unclear group names | Nobody can easily explain what the group controls | Document, rename or consolidate |
| Overloaded groups | One group controls too many unrelated areas | Split into clearer role-based or area-based groups |
| Admin groups | Powerful rights may be granted too broadly | Review membership separately |
3. Identify pages with local access rights
Local page-level rights are often where surprises appear. They are useful when a page or page hierarchy needs special access rules, but they can become difficult to manage when they are added repeatedly without documentation.
The following Velocity snippet can help you start the review by listing pages that contain local
XWiki.XWikiRights objects. It is not a complete audit. It gives you a practical first list of
pages where local rights may exist.
#set ($pages = $services.query.xwql($query).execute())
#if ($pages.isEmpty())
No pages with local XWiki rights were found.
#else
|= Page |= Review note
#foreach ($page in $pages)
| [[$page]] | Local rights configured
#end
#end
4. How to interpret the result
The result should be treated as a review queue, not as a final answer. Each page should be checked in context: why local rights were added, who is affected, whether the rights apply only to one page or to a hierarchy, and whether the exception is still needed.
What this snippet helps you find: pages where local rights may override the expected inherited model, old restricted areas, project spaces with special access rules and confidential pages that should have a clear owner.
What this snippet does not tell you: whether the rights are correct, whether the groups are still valid, whether the users inside those groups still need access, or whether inherited permissions already grant access from a parent page.
A page appearing in this list is not automatically a problem. It simply means that the page deserves a closer look during the first-pass review.
Not sure where local rights are hidden? A focused access-rights review can help identify local exceptions, inherited permissions, old groups and sensitive rights that should be cleaned up or documented.
Request an access review5. Review sensitive rights separately
Not all rights have the same impact. View, comment and edit rights affect content collaboration. Administration, script and programming rights can have a broader technical and security impact and should be reviewed separately.
A user with powerful rights may be able to change configuration, execute advanced scripts, affect other users or influence how content is rendered. These rights should be granted intentionally, limited to trusted users and documented as part of the administration model.
| Right type | Why it matters | Review approach |
|---|---|---|
| Admin | Can control important wiki configuration and rights | Keep limited and review membership regularly |
| Script | Can allow advanced scripting behavior depending on context | Grant only to users who understand the technical impact |
| Programming | Can be highly sensitive and should be reserved for trusted technical administrators | Review separately from normal editing permissions |
| Edit | Allows content changes and may affect business processes | Assign through groups and validate restricted areas |
| View | Controls access to content and confidential information | Review public, internal and restricted areas carefully |
Common findings during a first review
A first-pass review often reveals patterns that are not obvious from normal daily use. These findings do not always mean that the instance is unsafe, but they usually deserve clarification.
- Pages restricted years ago for a project that no longer exists.
- Groups created for temporary access that still grant view or edit rights.
- Direct user rights added because creating a proper group felt too heavy at the time.
- Admin or script rights granted to users who no longer maintain the platform.
- Restricted spaces without a clear business owner.
- External users still present in groups after the collaboration ended.
- Local page rights added to solve an urgent issue, but never reviewed again.
- Group synchronization from LDAP, SSO, OIDC or SAML that no longer matches the expected wiki access model.
6. Document findings before changing permissions
An access-rights review should not end with a few manual changes. The result should be documented so that the next administrator understands what was found, what was changed and what still needs attention.
A simple review register is enough for a first pass. The goal is to record the affected area, the current access model, the concern, the owner and the recommended action.
| Area or page | Current access | Risk or concern | Recommended action | Owner | Review date |
|---|---|---|---|---|---|
| Example.ProjectSpace | Old project group can still view | Project ended, access may no longer be needed | Confirm owner and remove group if obsolete | Project owner | YYYY-MM-DD |
| Example.ConfidentialDocs | Individual users have direct rights | Difficult to maintain when roles change | Move access to a dedicated group | Content owner | YYYY-MM-DD |
XWiki access-rights first-pass checklist
A practical review should combine technical checks with governance questions. The following checklist can be used before changing permissions in production.
- Identify public, internal, restricted and administrative areas.
- List active groups and clarify what each group is used for.
- Review old groups, inactive users and temporary access.
- Identify pages with local XWiki rights objects.
- Review page-level exceptions and inherited permissions.
- Check whether rights are assigned to groups rather than individual users.
- Review admin, script and programming rights separately.
- Check authentication and group synchronization if LDAP, SSO, OIDC or SAML is used.
- Document findings, owners, risks and recommended actions.
- Only then decide what should be cleaned up, simplified or reviewed with the business owner.
XWiki access-rights review FAQ
Is listing pages with local rights enough for an access audit?
No. It is only a starting point. A complete review should also consider inherited permissions, group membership, wiki-level rights, explicit allow or deny rules, sensitive rights and the business reason behind each restricted area.
Should XWiki rights be assigned directly to users?
In most cases, rights should be assigned through groups. Direct user rights can be useful in rare situations, but they are harder to maintain and should be reviewed carefully.
What is the most common access-rights problem in XWiki?
A common issue is the accumulation of undocumented exceptions: old groups, page-level rights, inherited permissions and direct user rights that were correct at the time but are no longer clearly understood.
Should access rights be reviewed before an XWiki upgrade?
Yes. Upgrades are a good moment to review permissions, especially for business-critical instances. The review can reveal old groups, sensitive rights, custom scripts and restricted areas that should be validated during the upgrade process.
Does SSO replace an access-rights review?
No. SSO helps authenticate users, but XWiki authorization still depends on groups, rights, inheritance and page-level exceptions. Authentication and access control should be reviewed together.
Need help reviewing XWiki access rights?
If your XWiki instance has grown over time, uses many groups, contains restricted areas or depends on LDAP, SSO, OIDC or SAML, an access-rights review can help identify unclear permissions and define a safer model.
Request an access-rights review