Skip to Content
Last modified by Agnease on 2026/06/08 18:37
From version 2.10
edited by Agnease
on 2026/06/08 18:12
Change comment: There is no comment for this version
To version 2.12
edited by Agnease
on 2026/06/08 18:37
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -11,10 +11,10 @@
11 11   </div>
12 12   </div>
13 13  
14 - <h1 id="hero-title">How to start an XWiki access-rights review</h1>
14 + <h1 id="hero-title">A first-pass XWiki access-rights audit before changing permissions</h1>
15 15  
16 16   <p class="resource-summary">
17 - A practical first step for identifying local rights, old groups, sensitive permissions and unclear access exceptions
17 + A practical way to identify local rights, old groups, sensitive permissions and unclear access exceptions
18 18   before they become a security or maintenance problem.
19 19   </p>
20 20   </div>
... ... @@ -27,12 +27,14 @@
27 27   <aside class="resource-sidebar" aria-label="Page summary">
28 28   <h4>In this guide</h4>
29 29   <ul>
30 - <li><a href="#why-review">Why review access rights</a></li>
31 - <li><a href="#access-model">Start with the model</a></li>
32 - <li><a href="#review-groups">Review groups</a></li>
33 - <li><a href="#find-local-rights">Find local rights</a></li>
34 - <li><a href="#sensitive-rights">Sensitive rights</a></li>
35 - <li><a href="#document-findings">Document findings</a></li>
30 + <li><a href="#starting-point">Where to start</a></li>
31 + <li><a href="#first-pass-audit">First-pass audit</a></li>
32 + <li><a href="#access-model">Access areas</a></li>
33 + <li><a href="#review-groups">Groups and users</a></li>
34 + <li><a href="#find-local-rights">Local rights snippet</a></li>
35 + <li><a href="#interpret-results">How to interpret results</a></li>
36 + <li><a href="#common-findings">Common findings</a></li>
37 + <li><a href="#document-findings">Review register</a></li>
36 36   <li><a href="#review-checklist">Checklist</a></li>
37 37   <li><a href="#access-review-faq">FAQ</a></li>
38 38   </ul>
... ... @@ -41,6 +41,11 @@
41 41   <article class="resource-content">
42 42  
43 43   <p>
46 + When I review an existing XWiki instance, I do not start by changing permissions. I first try to understand
47 + where access rules have accumulated over time.
48 + </p>
49 +
50 + <p>
44 44   Many XWiki permission issues are not visible from the homepage. Users can log in, pages can be edited,
45 45   search can work correctly, and the wiki may still contain access rules that nobody fully understands anymore.
46 46   </p>
... ... @@ -52,53 +52,63 @@
52 52  
53 53   <div class="resource-note">
54 54   <p>
55 - <strong>In practice:</strong> an XWiki access-rights review should start by understanding the intended
56 - access model, then checking groups, local page rights, inherited permissions, powerful rights, inactive users
57 - and undocumented exceptions.
62 + <strong>In practice:</strong> the first review should not try to rebuild the whole permission model.
63 + It should identify risky areas, unclear exceptions, old groups and sensitive rights that need a closer look.
58 58   </p>
59 59   </div>
60 60  
67 + <h2 id="starting-point">Where to start in a real XWiki instance</h2>
68 +
61 61   <p>
62 - An XWiki access-rights review is a structured check of how users and groups receive permissions across the wiki.
63 - It helps administrators understand who can access what, why access was granted, which permissions are inherited,
64 - and where local exceptions may create risk or confusion.
70 + The first signs of a messy access model are usually simple: many groups with unclear names, rights assigned
71 + directly to users, restricted pages without an owner, old project spaces and powerful rights granted to people
72 + who no longer administer the platform.
65 65   </p>
66 66  
75 + <p>
76 + At this stage, the goal is not to decide whether every permission is correct. The goal is to build a map:
77 + which areas are sensitive, where local rights exist, which groups matter, and which findings should be reviewed
78 + before the next upgrade, migration or authentication change.
79 + </p>
80 +
67 67   <div class="resource-note">
68 68   <p>
69 - <strong>The main point:</strong> the goal is not only to find permission problems. The goal is to make the
70 - access model easier to explain, maintain and review over time.
83 + <strong>The main point:</strong> a useful access-rights review should answer more than “can this user access
84 + this page?” It should also answer “why do they have access, which group grants it, who owns the area and when
85 + should this be reviewed again?”
71 71   </p>
72 72   </div>
73 73  
74 - <h2 id="why-review">Why an access-rights review matters</h2>
75 -
76 76   <p>
77 - XWiki is often used for internal knowledge, project documentation, procedures, HR content, customer information,
78 - technical documentation, controlled documents or business-critical workflows. When the content becomes important,
79 - the access model becomes important too.
90 + For a broader view of security-related checks, see
91 + <a href="$xwiki.getURL('resources.xwiki-security-review')">what an XWiki security review should actually include</a>.
80 80   </p>
81 81  
82 - <p>
83 - A permission setup can be technically valid and still be difficult to govern. For example, rights may be assigned
84 - to individual users instead of groups, old project groups may still have access, or page-level exceptions may
85 - override the expected inherited model.
86 - </p>
94 + <h2 id="first-pass-audit">A practical first-pass audit</h2>
87 87  
88 88   <p>
89 - For a broader view of security-related checks, see
90 - <a href="$xwiki.getURL('resources.xwiki-security-review')">what an XWiki security review should actually include</a>.
97 + A first-pass audit should be safe and observational. Before changing anything in production, collect enough
98 + information to understand the current model and the areas that need attention.
91 91   </p>
92 92  
93 - <h2 id="access-model">1. Start with the access model, not with the UI</h2>
101 + <ul class="resource-checklist">
102 + <li>Do not change permissions before understanding why they exist.</li>
103 + <li>Identify the main areas of the wiki: open, internal, restricted, confidential and administrative.</li>
104 + <li>List the groups that seem to control access to these areas.</li>
105 + <li>Look for direct user rights and local page-level exceptions.</li>
106 + <li>Review admin, script and programming rights separately from normal edit rights.</li>
107 + <li>Document what is unclear instead of guessing.</li>
108 + </ul>
94 94  
110 + <h2 id="access-model">1. Start with access areas, not individual pages</h2>
111 +
95 95   <p>
96 - Before changing permissions, clarify what the wiki should look like from an access perspective. Otherwise,
97 - the review becomes a list of isolated technical checks without a clear target.
113 + Before reviewing individual permissions, clarify what the wiki should look like from an access perspective.
114 + Otherwise, the review becomes a list of isolated technical checks without a clear target.
98 98   </p>
99 99  
100 100   <p>
101 - A simple model is often enough. Separate the wiki into clear areas such as open internal knowledge,
118 + A simple access map is often enough. Separate the wiki into clear areas such as open internal knowledge,
102 102   team spaces, restricted projects, confidential documents, technical administration pages and external
103 103   collaboration areas.
104 104   </p>
... ... @@ -108,7 +108,7 @@
108 108   <tr>
109 109   <th>Area type</th>
110 110   <th>Typical access</th>
111 - <th>Review question</th>
128 + <th>First review question</th>
112 112   </tr>
113 113   </thead>
114 114   <tbody>
... ... @@ -149,42 +149,43 @@
149 149  
150 150   <p>
151 151   Start by reviewing which groups exist, what they are used for and whether their members still match the intended
152 - access model.
169 + access model. Group names often tell part of the story: old project names, temporary access groups and unclear
170 + role names are good signals that the access model needs cleanup.
153 153   </p>
154 154  
155 155   <table class="table table-bordered table-striped">
156 156   <thead>
157 157   <tr>
158 - <th>Group review item</th>
159 - <th>What to check</th>
160 - <th>Possible action</th>
176 + <th>Group signal</th>
177 + <th>What it may indicate</th>
178 + <th>First action</th>
161 161   </tr>
162 162   </thead>
163 163   <tbody>
164 164   <tr>
165 165   <td>Old project groups</td>
166 - <td>Groups created for projects that ended</td>
167 - <td>Remove access, archive the group or document why it remains active</td>
184 + <td>A project ended but access may still be active</td>
185 + <td>Confirm whether the group is still needed</td>
168 168   </tr>
169 169   <tr>
170 170   <td>Inactive users</td>
171 - <td>Users who no longer need access</td>
172 - <td>Remove from groups or deactivate accounts according to policy</td>
189 + <td>Former employees or old accounts may still have access</td>
190 + <td>Remove from groups or deactivate according to policy</td>
173 173   </tr>
174 174   <tr>
175 175   <td>Unclear group names</td>
176 - <td>Groups whose purpose is not obvious</td>
177 - <td>Rename, document or consolidate</td>
194 + <td>Nobody can easily explain what the group controls</td>
195 + <td>Document, rename or consolidate</td>
178 178   </tr>
179 179   <tr>
180 180   <td>Overloaded groups</td>
181 - <td>Groups used for too many unrelated areas</td>
199 + <td>One group controls too many unrelated areas</td>
182 182   <td>Split into clearer role-based or area-based groups</td>
183 183   </tr>
184 184   <tr>
185 185   <td>Admin groups</td>
186 - <td>Groups with powerful rights</td>
187 - <td>Review membership separately and keep it limited</td>
204 + <td>Powerful rights may be granted too broadly</td>
205 + <td>Review membership separately</td>
188 188   </tr>
189 189   </tbody>
190 190   </table>
... ... @@ -198,13 +198,13 @@
198 198  
199 199   <p>
200 200   The following Velocity snippet can help you start the review by listing pages that contain local
201 - <code>XWiki.XWikiRights</code> objects. It is not a complete audit, but it gives you a practical first list of
202 - places where local rights may exist.
219 + <code>XWiki.XWikiRights</code> objects. It is not a complete audit. It gives you a practical first list of
220 + pages where local rights may exist.
203 203   </p>
204 204  {{/html}}
205 205  {{/velocity}}
206 206  
207 -{{code}}
225 +{{code language="velocity"}}
208 208  #set ($query = "from doc.object(XWiki.XWikiRights) rights order by doc.fullName asc")
209 209  #set ($pages = $services.query.xwql($query).execute())
210 210  
... ... @@ -211,9 +211,9 @@
211 211  #if ($pages.isEmpty())
212 212   No pages with local XWiki rights were found.
213 213  #else
214 - |= Page |= Local rights found
232 + |= Page |= Review note
215 215   #foreach ($page in $pages)
216 - | [[$page]] | yes
234 + | [[$page]] | Local rights configured
217 217   #end
218 218  #end
219 219  {{/code}}
... ... @@ -220,20 +220,35 @@
220 220  
221 221  {{velocity}}
222 222  {{html clean="false"}}
241 + <h2 id="interpret-results">4. How to interpret the result</h2>
242 +
223 223   <p>
224 - Use the result as a starting point. Each page should be reviewed in context: why local rights were added, which
225 - users or groups are affected, whether rights apply only to that page or to a hierarchy, and whether the exception
226 - is still needed.
244 + The result should be treated as a review queue, not as a final answer. Each page should be checked in context:
245 + why local rights were added, who is affected, whether the rights apply only to one page or to a hierarchy, and
246 + whether the exception is still needed.
227 227   </p>
228 228  
229 229   <div class="resource-note">
230 230   <p>
231 - <strong>Important:</strong> a list of pages with local rights does not tell the full story. You still need to
232 - interpret inherited permissions, groups, explicit allow or deny rules, wiki-level rights and sensitive rights
233 - such as admin, script or programming.
251 + <strong>What this snippet helps you find:</strong> pages where local rights may override the expected inherited
252 + model, old restricted areas, project spaces with special access rules and confidential pages that should have
253 + a clear owner.
234 234   </p>
235 235   </div>
236 236  
257 + <div class="resource-note">
258 + <p>
259 + <strong>What this snippet does not tell you:</strong> whether the rights are correct, whether the groups are
260 + still valid, whether the users inside those groups still need access, or whether inherited permissions already
261 + grant access from a parent page.
262 + </p>
263 + </div>
264 +
265 + <p>
266 + A page appearing in this list is not automatically a problem. It simply means that the page deserves a closer
267 + look during the first-pass review.
268 + </p>
269 +
237 237   <div class="resource-inline-cta">
238 238   <p>
239 239   <strong>Not sure where local rights are hidden?</strong>
... ... @@ -240,10 +240,10 @@
240 240   A focused access-rights review can help identify local exceptions, inherited permissions, old groups and
241 241   sensitive rights that should be cleaned up or documented.
242 242   </p>
243 - <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request an access review</a>
276 + <a class="btn btn-default" href="$xwiki.getURL('contact.WebHome')">Request an access review</a>
244 244   </div>
245 245  
246 - <h2 id="sensitive-rights">4. Pay special attention to sensitive rights</h2>
279 + <h2 id="sensitive-rights">5. Review sensitive rights separately</h2>
247 247  
248 248   <p>
249 249   Not all rights have the same impact. View, comment and edit rights affect content collaboration. Administration,
... ... @@ -293,16 +293,34 @@
293 293   </tbody>
294 294   </table>
295 295  
296 - <h2 id="document-findings">5. Document the findings</h2>
329 + <h2 id="common-findings">Common findings during a first review</h2>
297 297  
298 298   <p>
332 + A first-pass review often reveals patterns that are not obvious from normal daily use. These findings do not
333 + always mean that the instance is unsafe, but they usually deserve clarification.
334 + </p>
335 +
336 + <ul class="resource-checklist">
337 + <li>Pages restricted years ago for a project that no longer exists.</li>
338 + <li>Groups created for temporary access that still grant view or edit rights.</li>
339 + <li>Direct user rights added because creating a proper group felt too heavy at the time.</li>
340 + <li>Admin or script rights granted to users who no longer maintain the platform.</li>
341 + <li>Restricted spaces without a clear business owner.</li>
342 + <li>External users still present in groups after the collaboration ended.</li>
343 + <li>Local page rights added to solve an urgent issue, but never reviewed again.</li>
344 + <li>Group synchronization from LDAP, SSO, OIDC or SAML that no longer matches the expected wiki access model.</li>
345 + </ul>
346 +
347 + <h2 id="document-findings">6. Document findings before changing permissions</h2>
348 +
349 + <p>
299 299   An access-rights review should not end with a few manual changes. The result should be documented so that the
300 300   next administrator understands what was found, what was changed and what still needs attention.
301 301   </p>
302 302  
303 303   <p>
304 - A simple review register can be enough. The goal is to record the affected area, the current access model, the
305 - risk, the owner and the recommended action.
355 + A simple review register is enough for a first pass. The goal is to record the affected area, the current access
356 + model, the concern, the owner and the recommended action.
306 306   </p>
307 307  
308 308   <table class="table table-bordered table-striped">
... ... @@ -336,11 +336,11 @@
336 336   </tbody>
337 337   </table>
338 338  
339 - <h2 id="review-checklist">XWiki access-rights review checklist</h2>
390 + <h2 id="review-checklist">XWiki access-rights first-pass checklist</h2>
340 340  
341 341   <p>
342 342   A practical review should combine technical checks with governance questions. The following checklist can be
343 - used as a starting point before changing permissions in production.
394 + used before changing permissions in production.
344 344   </p>
345 345  
346 346   <ul class="resource-checklist">
... ... @@ -353,7 +353,7 @@
353 353   <li>Review admin, script and programming rights separately.</li>
354 354   <li>Check authentication and group synchronization if LDAP, SSO, OIDC or SAML is used.</li>
355 355   <li>Document findings, owners, risks and recommended actions.</li>
356 - <li>Schedule a periodic access-rights review.</li>
407 + <li>Only then decide what should be cleaned up, simplified or reviewed with the business owner.</li>
357 357   </ul>
358 358  
359 359   <h2 id="access-review-faq">XWiki access-rights review FAQ</h2>
... ... @@ -400,14 +400,19 @@
400 400   </p>
401 401   </details>
402 402  
403 - <div class="resource-note">
404 - <p>
405 - Related resources:
406 - <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">why XWiki access rights need a clear governance model</a>,
407 - <a href="$xwiki.getURL('resources.xwiki-security-review')">what an XWiki security review should actually include</a>
408 - and
409 - <a href="$xwiki.getURL('resources.why-upgrade-xwiki')">why regular XWiki upgrades matter</a>.
410 - </p>
454 + <div class="resource-note related-resources">
455 + <p><strong>Related resources:</strong></p>
456 + <ul>
457 + <li>
458 + <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">Why XWiki access rights need a clear governance model</a>
459 + </li>
460 + <li>
461 + <a href="$xwiki.getURL('resources.xwiki-security-review')">What an XWiki security review should actually include</a>
462 + </li>
463 + <li>
464 + <a href="$xwiki.getURL('resources.why-upgrade-xwiki')">Why regular XWiki upgrades matter</a>
465 + </li>
466 + </ul>
411 411   </div>
412 412  
413 413   <div class="resource-cta">