Skip to Content
Last modified by Agnease on 2026/06/08 18:37
From version 1.1
edited by Agnease
on 2026/06/08 18:00
Change comment: There is no comment for this version
To version 2.7
edited by Agnease
on 2026/06/08 18:07
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 -xwiki-access-rights-review
1 +How to start an XWiki access-rights review
Content
... ... @@ -1,0 +1,477 @@
1 +{{velocity}}
2 +#set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3 +{{html clean="false"}}
4 +
5 + <section class="resource-header" aria-labelledby="hero-title">
6 + <div class="container">
7 + <div class="text-center">
8 + <div class="hero-kicker">
9 + <i class="fa fa-search" aria-hidden="true"></i>
10 + XWiki access-rights review
11 + </div>
12 + </div>
13 +
14 + <h1 id="hero-title">How to start an XWiki access-rights review</h1>
15 +
16 + <p class="resource-summary">
17 + A practical first step for identifying local rights, old groups, sensitive permissions and unclear access exceptions
18 + before they become a security or maintenance problem.
19 + </p>
20 + </div>
21 + </section>
22 +
23 + <section class="resource-page">
24 + <div class="container">
25 + <div class="resource-layout">
26 +
27 + <aside class="resource-sidebar" aria-label="Page summary">
28 + <h4>In this guide</h4>
29 + <ul>
30 + <li><a href="#why-review">Why review access rights</a></li>
31 + <li><a href="#access-model">Start with the model</a></li>
32 + <li><a href="#review-groups">Review groups</a></li>
33 + <li><a href="#find-local-rights">Find local rights</a></li>
34 + <li><a href="#sensitive-rights">Sensitive rights</a></li>
35 + <li><a href="#document-findings">Document findings</a></li>
36 + <li><a href="#review-checklist">Checklist</a></li>
37 + <li><a href="#access-review-faq">FAQ</a></li>
38 + </ul>
39 + </aside>
40 +
41 + <article class="resource-content">
42 +
43 + <p>
44 + Many XWiki permission issues are not visible from the homepage. Users can log in, pages can be edited,
45 + search can work correctly, and the wiki may still contain access rules that nobody fully understands anymore.
46 + </p>
47 +
48 + <p>
49 + This usually happens slowly. A team needs access, a page is restricted, a group is created, an exception is
50 + added, an external user is invited, and after a few years the access model becomes difficult to explain.
51 + </p>
52 +
53 + <div class="resource-note">
54 + <p>
55 + <strong>In practice:</strong> an XWiki access-rights review should start by understanding the intended
56 + access model, then checking groups, local page rights, inherited permissions, powerful rights, inactive users
57 + and undocumented exceptions.
58 + </p>
59 + </div>
60 +
61 + <p>
62 + An XWiki access-rights review is a structured check of how users and groups receive permissions across the wiki.
63 + It helps administrators understand who can access what, why access was granted, which permissions are inherited,
64 + and where local exceptions may create risk or confusion.
65 + </p>
66 +
67 + <div class="resource-note">
68 + <p>
69 + <strong>The main point:</strong> the goal is not only to find permission problems. The goal is to make the
70 + access model easier to explain, maintain and review over time.
71 + </p>
72 + </div>
73 +
74 + <h2 id="why-review">Why an access-rights review matters</h2>
75 +
76 + <p>
77 + XWiki is often used for internal knowledge, project documentation, procedures, HR content, customer information,
78 + technical documentation, controlled documents or business-critical workflows. When the content becomes important,
79 + the access model becomes important too.
80 + </p>
81 +
82 + <p>
83 + A permission setup can be technically valid and still be difficult to govern. For example, rights may be assigned
84 + to individual users instead of groups, old project groups may still have access, or page-level exceptions may
85 + override the expected inherited model.
86 + </p>
87 +
88 + <p>
89 + For a broader view of security-related checks, see
90 + <a href="$xwiki.getURL('resources.xwiki-security-review')">what an XWiki security review should actually include</a>.
91 + </p>
92 +
93 + <h2 id="access-model">1. Start with the access model, not with the UI</h2>
94 +
95 + <p>
96 + Before changing permissions, clarify what the wiki should look like from an access perspective. Otherwise,
97 + the review becomes a list of isolated technical checks without a clear target.
98 + </p>
99 +
100 + <p>
101 + A simple model is often enough. Separate the wiki into clear areas such as open internal knowledge,
102 + team spaces, restricted projects, confidential documents, technical administration pages and external
103 + collaboration areas.
104 + </p>
105 +
106 + <table class="table table-bordered table-striped">
107 + <thead>
108 + <tr>
109 + <th>Area type</th>
110 + <th>Typical access</th>
111 + <th>Review question</th>
112 + </tr>
113 + </thead>
114 + <tbody>
115 + <tr>
116 + <td>Open internal knowledge</td>
117 + <td>Most authenticated users can view, selected users can edit</td>
118 + <td>Is this content really safe for broad internal access?</td>
119 + </tr>
120 + <tr>
121 + <td>Team or project spaces</td>
122 + <td>Team members can edit, others may only view</td>
123 + <td>Are the groups still aligned with the current team?</td>
124 + </tr>
125 + <tr>
126 + <td>Restricted projects</td>
127 + <td>Only selected groups can view or edit</td>
128 + <td>Is access granted through groups or individual users?</td>
129 + </tr>
130 + <tr>
131 + <td>Confidential documents</td>
132 + <td>Small controlled group</td>
133 + <td>Who owns the restriction and when was it last reviewed?</td>
134 + </tr>
135 + <tr>
136 + <td>Technical administration pages</td>
137 + <td>Trusted administrators only</td>
138 + <td>Are admin, script and programming rights limited?</td>
139 + </tr>
140 + </tbody>
141 + </table>
142 +
143 + <h2 id="review-groups">2. Review groups before reviewing pages</h2>
144 +
145 + <p>
146 + In most XWiki instances, groups should be the foundation of the permission model. Rights assigned directly to
147 + individual users are harder to maintain because people change roles, leave the organization or move between teams.
148 + </p>
149 +
150 + <p>
151 + Start by reviewing which groups exist, what they are used for and whether their members still match the intended
152 + access model.
153 + </p>
154 +
155 + <table class="table table-bordered table-striped">
156 + <thead>
157 + <tr>
158 + <th>Group review item</th>
159 + <th>What to check</th>
160 + <th>Possible action</th>
161 + </tr>
162 + </thead>
163 + <tbody>
164 + <tr>
165 + <td>Old project groups</td>
166 + <td>Groups created for projects that ended</td>
167 + <td>Remove access, archive the group or document why it remains active</td>
168 + </tr>
169 + <tr>
170 + <td>Inactive users</td>
171 + <td>Users who no longer need access</td>
172 + <td>Remove from groups or deactivate accounts according to policy</td>
173 + </tr>
174 + <tr>
175 + <td>Unclear group names</td>
176 + <td>Groups whose purpose is not obvious</td>
177 + <td>Rename, document or consolidate</td>
178 + </tr>
179 + <tr>
180 + <td>Overloaded groups</td>
181 + <td>Groups used for too many unrelated areas</td>
182 + <td>Split into clearer role-based or area-based groups</td>
183 + </tr>
184 + <tr>
185 + <td>Admin groups</td>
186 + <td>Groups with powerful rights</td>
187 + <td>Review membership separately and keep it limited</td>
188 + </tr>
189 + </tbody>
190 + </table>
191 +
192 + <h2 id="find-local-rights">3. Identify pages with local access rights</h2>
193 +
194 + <p>
195 + Local page-level rights are often where surprises appear. They are useful when a page or page hierarchy needs
196 + special access rules, but they can become difficult to manage when they are added repeatedly without documentation.
197 + </p>
198 +
199 + <p>
200 + The following Velocity snippet can help you start the review by listing pages that contain local
201 + <code>XWiki.XWikiRights</code> objects. It is not a complete audit, but it gives you a practical first list of
202 + places where local rights may exist.
203 + </p>
204 +{{/html}}
205 +{{/velocity}}
206 +
207 +{{code}}
208 +#set ($query = "select distinct doc.fullName from XWikiDocument doc, BaseObject obj where obj.name = doc.fullName and obj.className = 'XWiki.XWikiRights' order by doc.fullName asc")
209 +#set ($pages = $services.query.xwql($query).execute())
210 +
211 +#if ($pages.isEmpty())
212 + No pages with local XWiki rights were found.
213 +#else
214 + |= Page |= Local rights found
215 + #foreach ($page in $pages)
216 + | [[$page]] | yes
217 + #end
218 +#end
219 +{{/code}}
220 +
221 +{{velocity}}
222 +{{html clean="false"}}
223 + <p>
224 + Use the result as a starting point. Each page should be reviewed in context: why local rights were added, which
225 + users or groups are affected, whether rights apply only to that page or to a hierarchy, and whether the exception
226 + is still needed.
227 + </p>
228 +
229 + <div class="resource-note">
230 + <p>
231 + <strong>Important:</strong> a list of pages with local rights does not tell the full story. You still need to
232 + interpret inherited permissions, groups, explicit allow or deny rules, wiki-level rights and sensitive rights
233 + such as admin, script or programming.
234 + </p>
235 + </div>
236 +
237 + <div class="resource-inline-cta">
238 + <p>
239 + <strong>Not sure where local rights are hidden?</strong>
240 + A focused access-rights review can help identify local exceptions, inherited permissions, old groups and
241 + sensitive rights that should be cleaned up or documented.
242 + </p>
243 + <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request an access review</a>
244 + </div>
245 +
246 + <h2 id="sensitive-rights">4. Pay special attention to sensitive rights</h2>
247 +
248 + <p>
249 + Not all rights have the same impact. View, comment and edit rights affect content collaboration. Administration,
250 + script and programming rights can have a broader technical and security impact and should be reviewed separately.
251 + </p>
252 +
253 + <p>
254 + A user with powerful rights may be able to change configuration, execute advanced scripts, affect other users or
255 + influence how content is rendered. These rights should be granted intentionally, limited to trusted users and
256 + documented as part of the administration model.
257 + </p>
258 +
259 + <table class="table table-bordered table-striped">
260 + <thead>
261 + <tr>
262 + <th>Right type</th>
263 + <th>Why it matters</th>
264 + <th>Review approach</th>
265 + </tr>
266 + </thead>
267 + <tbody>
268 + <tr>
269 + <td>Admin</td>
270 + <td>Can control important wiki configuration and rights</td>
271 + <td>Keep limited and review membership regularly</td>
272 + </tr>
273 + <tr>
274 + <td>Script</td>
275 + <td>Can allow advanced scripting behavior depending on context</td>
276 + <td>Grant only to users who understand the technical impact</td>
277 + </tr>
278 + <tr>
279 + <td>Programming</td>
280 + <td>Can be highly sensitive and should be reserved for trusted technical administrators</td>
281 + <td>Review separately from normal editing permissions</td>
282 + </tr>
283 + <tr>
284 + <td>Edit</td>
285 + <td>Allows content changes and may affect business processes</td>
286 + <td>Assign through groups and validate restricted areas</td>
287 + </tr>
288 + <tr>
289 + <td>View</td>
290 + <td>Controls access to content and confidential information</td>
291 + <td>Review public, internal and restricted areas carefully</td>
292 + </tr>
293 + </tbody>
294 + </table>
295 +
296 + <h2 id="document-findings">5. Document the findings</h2>
297 +
298 + <p>
299 + An access-rights review should not end with a few manual changes. The result should be documented so that the
300 + next administrator understands what was found, what was changed and what still needs attention.
301 + </p>
302 +
303 + <p>
304 + A simple review register can be enough. The goal is to record the affected area, the current access model, the
305 + risk, the owner and the recommended action.
306 + </p>
307 +
308 + <table class="table table-bordered table-striped">
309 + <thead>
310 + <tr>
311 + <th>Area or page</th>
312 + <th>Current access</th>
313 + <th>Risk or concern</th>
314 + <th>Recommended action</th>
315 + <th>Owner</th>
316 + <th>Review date</th>
317 + </tr>
318 + </thead>
319 + <tbody>
320 + <tr>
321 + <td>Example.ProjectSpace</td>
322 + <td>Old project group can still view</td>
323 + <td>Project ended, access may no longer be needed</td>
324 + <td>Confirm owner and remove group if obsolete</td>
325 + <td>Project owner</td>
326 + <td>YYYY-MM-DD</td>
327 + </tr>
328 + <tr>
329 + <td>Example.ConfidentialDocs</td>
330 + <td>Individual users have direct rights</td>
331 + <td>Difficult to maintain when roles change</td>
332 + <td>Move access to a dedicated group</td>
333 + <td>Content owner</td>
334 + <td>YYYY-MM-DD</td>
335 + </tr>
336 + </tbody>
337 + </table>
338 +
339 + <h2 id="review-checklist">XWiki access-rights review checklist</h2>
340 +
341 + <p>
342 + A practical review should combine technical checks with governance questions. The following checklist can be
343 + used as a starting point before changing permissions in production.
344 + </p>
345 +
346 + <ul class="resource-checklist">
347 + <li>Identify public, internal, restricted and administrative areas.</li>
348 + <li>List active groups and clarify what each group is used for.</li>
349 + <li>Review old groups, inactive users and temporary access.</li>
350 + <li>Identify pages with local XWiki rights objects.</li>
351 + <li>Review page-level exceptions and inherited permissions.</li>
352 + <li>Check whether rights are assigned to groups rather than individual users.</li>
353 + <li>Review admin, script and programming rights separately.</li>
354 + <li>Check authentication and group synchronization if LDAP, SSO, OIDC or SAML is used.</li>
355 + <li>Document findings, owners, risks and recommended actions.</li>
356 + <li>Schedule a periodic access-rights review.</li>
357 + </ul>
358 +
359 + <h2 id="access-review-faq">XWiki access-rights review FAQ</h2>
360 +
361 + <details class="resource-faq-item" open>
362 + <summary>Is listing pages with local rights enough for an access audit?</summary>
363 + <p>
364 + No. It is only a starting point. A complete review should also consider inherited permissions, group
365 + membership, wiki-level rights, explicit allow or deny rules, sensitive rights and the business reason behind
366 + each restricted area.
367 + </p>
368 + </details>
369 +
370 + <details class="resource-faq-item">
371 + <summary>Should XWiki rights be assigned directly to users?</summary>
372 + <p>
373 + In most cases, rights should be assigned through groups. Direct user rights can be useful in rare situations,
374 + but they are harder to maintain and should be reviewed carefully.
375 + </p>
376 + </details>
377 +
378 + <details class="resource-faq-item">
379 + <summary>What is the most common access-rights problem in XWiki?</summary>
380 + <p>
381 + A common issue is the accumulation of undocumented exceptions: old groups, page-level rights, inherited
382 + permissions and direct user rights that were correct at the time but are no longer clearly understood.
383 + </p>
384 + </details>
385 +
386 + <details class="resource-faq-item">
387 + <summary>Should access rights be reviewed before an XWiki upgrade?</summary>
388 + <p>
389 + Yes. Upgrades are a good moment to review permissions, especially for business-critical instances. The review
390 + can reveal old groups, sensitive rights, custom scripts and restricted areas that should be validated during
391 + the upgrade process.
392 + </p>
393 + </details>
394 +
395 + <details class="resource-faq-item">
396 + <summary>Does SSO replace an access-rights review?</summary>
397 + <p>
398 + No. SSO helps authenticate users, but XWiki authorization still depends on groups, rights, inheritance and
399 + page-level exceptions. Authentication and access control should be reviewed together.
400 + </p>
401 + </details>
402 +
403 + <div class="resource-note">
404 + <p>
405 + Related resources:
406 + <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">why XWiki access rights need a clear governance model</a>,
407 + <a href="$xwiki.getURL('resources.xwiki-security-review')">what an XWiki security review should actually include</a>
408 + and
409 + <a href="$xwiki.getURL('resources.why-upgrade-xwiki')">why regular XWiki upgrades matter</a>.
410 + </p>
411 + </div>
412 +
413 + <div class="resource-cta">
414 + <h3>Need help reviewing XWiki access rights?</h3>
415 + <p>
416 + If your XWiki instance has grown over time, uses many groups, contains restricted areas or depends on LDAP,
417 + SSO, OIDC or SAML, an access-rights review can help identify unclear permissions and define a safer model.
418 + </p>
419 + <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request an access-rights review</a>
420 + </div>
421 +
422 + </article>
423 + </div>
424 + </div>
425 + </section>
426 +
427 + <script type="application/ld+json">
428 + {
429 + "@context": "https://schema.org",
430 + "@type": "FAQPage",
431 + "mainEntity": [
432 + {
433 + "@type": "Question",
434 + "name": "Is listing pages with local rights enough for an access audit?",
435 + "acceptedAnswer": {
436 + "@type": "Answer",
437 + "text": "No. It is only a starting point. A complete review should also consider inherited permissions, group membership, wiki-level rights, explicit allow or deny rules, sensitive rights and the business reason behind each restricted area."
438 + }
439 + },
440 + {
441 + "@type": "Question",
442 + "name": "Should XWiki rights be assigned directly to users?",
443 + "acceptedAnswer": {
444 + "@type": "Answer",
445 + "text": "In most cases, rights should be assigned through groups. Direct user rights can be useful in rare situations, but they are harder to maintain and should be reviewed carefully."
446 + }
447 + },
448 + {
449 + "@type": "Question",
450 + "name": "What is the most common access-rights problem in XWiki?",
451 + "acceptedAnswer": {
452 + "@type": "Answer",
453 + "text": "A common issue is the accumulation of undocumented exceptions: old groups, page-level rights, inherited permissions and direct user rights that were correct at the time but are no longer clearly understood."
454 + }
455 + },
456 + {
457 + "@type": "Question",
458 + "name": "Should access rights be reviewed before an XWiki upgrade?",
459 + "acceptedAnswer": {
460 + "@type": "Answer",
461 + "text": "Yes. Upgrades are a good moment to review permissions, especially for business-critical instances. The review can reveal old groups, sensitive rights, custom scripts and restricted areas that should be validated during the upgrade process."
462 + }
463 + },
464 + {
465 + "@type": "Question",
466 + "name": "Does SSO replace an access-rights review?",
467 + "acceptedAnswer": {
468 + "@type": "Answer",
469 + "text": "No. SSO helps authenticate users, but XWiki authorization still depends on groups, rights, inheritance and page-level exceptions. Authentication and access control should be reviewed together."
470 + }
471 + }
472 + ]
473 + }
474 + </script>
475 +
476 +{{/html}}
477 +{{/velocity}}
Agnease.Code.SEODetailsClass[0]
metaDescription
... ... @@ -1,0 +1,1 @@
1 +Learn how to start an XWiki access-rights review by checking groups, local page rights, inherited permissions, powerful rights, inactive users and documentation gaps.
metaTitle
... ... @@ -1,0 +1,1 @@
1 +How to Start an XWiki Access-Rights Review | Agnease