Skip to Content
Last modified by Agnease on 2026/06/08 18:37
From version 2.12
edited by Agnease
on 2026/06/08 18:37
Change comment: There is no comment for this version
To version 2.9
edited by Agnease
on 2026/06/08 18:10
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -11,10 +11,10 @@
11 11   </div>
12 12   </div>
13 13  
14 - <h1 id="hero-title">A first-pass XWiki access-rights audit before changing permissions</h1>
14 + <h1 id="hero-title">How to start an XWiki access-rights review</h1>
15 15  
16 16   <p class="resource-summary">
17 - A practical way to identify local rights, old groups, sensitive permissions and unclear access exceptions
17 + A practical first step for identifying local rights, old groups, sensitive permissions and unclear access exceptions
18 18   before they become a security or maintenance problem.
19 19   </p>
20 20   </div>
... ... @@ -27,14 +27,12 @@
27 27   <aside class="resource-sidebar" aria-label="Page summary">
28 28   <h4>In this guide</h4>
29 29   <ul>
30 - <li><a href="#starting-point">Where to start</a></li>
31 - <li><a href="#first-pass-audit">First-pass audit</a></li>
32 - <li><a href="#access-model">Access areas</a></li>
33 - <li><a href="#review-groups">Groups and users</a></li>
34 - <li><a href="#find-local-rights">Local rights snippet</a></li>
35 - <li><a href="#interpret-results">How to interpret results</a></li>
36 - <li><a href="#common-findings">Common findings</a></li>
37 - <li><a href="#document-findings">Review register</a></li>
30 + <li><a href="#why-review">Why review access rights</a></li>
31 + <li><a href="#access-model">Start with the model</a></li>
32 + <li><a href="#review-groups">Review groups</a></li>
33 + <li><a href="#find-local-rights">Find local rights</a></li>
34 + <li><a href="#sensitive-rights">Sensitive rights</a></li>
35 + <li><a href="#document-findings">Document findings</a></li>
38 38   <li><a href="#review-checklist">Checklist</a></li>
39 39   <li><a href="#access-review-faq">FAQ</a></li>
40 40   </ul>
... ... @@ -43,11 +43,6 @@
43 43   <article class="resource-content">
44 44  
45 45   <p>
46 - When I review an existing XWiki instance, I do not start by changing permissions. I first try to understand
47 - where access rules have accumulated over time.
48 - </p>
49 -
50 - <p>
51 51   Many XWiki permission issues are not visible from the homepage. Users can log in, pages can be edited,
52 52   search can work correctly, and the wiki may still contain access rules that nobody fully understands anymore.
53 53   </p>
... ... @@ -59,63 +59,53 @@
59 59  
60 60   <div class="resource-note">
61 61   <p>
62 - <strong>In practice:</strong> the first review should not try to rebuild the whole permission model.
63 - It should identify risky areas, unclear exceptions, old groups and sensitive rights that need a closer look.
55 + <strong>In practice:</strong> an XWiki access-rights review should start by understanding the intended
56 + access model, then checking groups, local page rights, inherited permissions, powerful rights, inactive users
57 + and undocumented exceptions.
64 64   </p>
65 65   </div>
66 66  
67 - <h2 id="starting-point">Where to start in a real XWiki instance</h2>
68 -
69 69   <p>
70 - The first signs of a messy access model are usually simple: many groups with unclear names, rights assigned
71 - directly to users, restricted pages without an owner, old project spaces and powerful rights granted to people
72 - who no longer administer the platform.
62 + An XWiki access-rights review is a structured check of how users and groups receive permissions across the wiki.
63 + It helps administrators understand who can access what, why access was granted, which permissions are inherited,
64 + and where local exceptions may create risk or confusion.
73 73   </p>
74 74  
75 - <p>
76 - At this stage, the goal is not to decide whether every permission is correct. The goal is to build a map:
77 - which areas are sensitive, where local rights exist, which groups matter, and which findings should be reviewed
78 - before the next upgrade, migration or authentication change.
79 - </p>
80 -
81 81   <div class="resource-note">
82 82   <p>
83 - <strong>The main point:</strong> a useful access-rights review should answer more than “can this user access
84 - this page?” It should also answer “why do they have access, which group grants it, who owns the area and when
85 - should this be reviewed again?”
69 + <strong>The main point:</strong> the goal is not only to find permission problems. The goal is to make the
70 + access model easier to explain, maintain and review over time.
86 86   </p>
87 87   </div>
88 88  
74 + <h2 id="why-review">Why an access-rights review matters</h2>
75 +
89 89   <p>
90 - For a broader view of security-related checks, see
91 - <a href="$xwiki.getURL('resources.xwiki-security-review')">what an XWiki security review should actually include</a>.
77 + XWiki is often used for internal knowledge, project documentation, procedures, HR content, customer information,
78 + technical documentation, controlled documents or business-critical workflows. When the content becomes important,
79 + the access model becomes important too.
92 92   </p>
93 93  
94 - <h2 id="first-pass-audit">A practical first-pass audit</h2>
82 + <p>
83 + A permission setup can be technically valid and still be difficult to govern. For example, rights may be assigned
84 + to individual users instead of groups, old project groups may still have access, or page-level exceptions may
85 + override the expected inherited model.
86 + </p>
95 95  
96 96   <p>
97 - A first-pass audit should be safe and observational. Before changing anything in production, collect enough
98 - information to understand the current model and the areas that need attention.
89 + For a broader view of security-related checks, see
90 + <a href="$xwiki.getURL('resources.xwiki-security-review')">what an XWiki security review should actually include</a>.
99 99   </p>
100 100  
101 - <ul class="resource-checklist">
102 - <li>Do not change permissions before understanding why they exist.</li>
103 - <li>Identify the main areas of the wiki: open, internal, restricted, confidential and administrative.</li>
104 - <li>List the groups that seem to control access to these areas.</li>
105 - <li>Look for direct user rights and local page-level exceptions.</li>
106 - <li>Review admin, script and programming rights separately from normal edit rights.</li>
107 - <li>Document what is unclear instead of guessing.</li>
108 - </ul>
93 + <h2 id="access-model">1. Start with the access model, not with the UI</h2>
109 109  
110 - <h2 id="access-model">1. Start with access areas, not individual pages</h2>
111 -
112 112   <p>
113 - Before reviewing individual permissions, clarify what the wiki should look like from an access perspective.
114 - Otherwise, the review becomes a list of isolated technical checks without a clear target.
96 + Before changing permissions, clarify what the wiki should look like from an access perspective. Otherwise,
97 + the review becomes a list of isolated technical checks without a clear target.
115 115   </p>
116 116  
117 117   <p>
118 - A simple access map is often enough. Separate the wiki into clear areas such as open internal knowledge,
101 + A simple model is often enough. Separate the wiki into clear areas such as open internal knowledge,
119 119   team spaces, restricted projects, confidential documents, technical administration pages and external
120 120   collaboration areas.
121 121   </p>
... ... @@ -125,7 +125,7 @@
125 125   <tr>
126 126   <th>Area type</th>
127 127   <th>Typical access</th>
128 - <th>First review question</th>
111 + <th>Review question</th>
129 129   </tr>
130 130   </thead>
131 131   <tbody>
... ... @@ -166,43 +166,42 @@
166 166  
167 167   <p>
168 168   Start by reviewing which groups exist, what they are used for and whether their members still match the intended
169 - access model. Group names often tell part of the story: old project names, temporary access groups and unclear
170 - role names are good signals that the access model needs cleanup.
152 + access model.
171 171   </p>
172 172  
173 173   <table class="table table-bordered table-striped">
174 174   <thead>
175 175   <tr>
176 - <th>Group signal</th>
177 - <th>What it may indicate</th>
178 - <th>First action</th>
158 + <th>Group review item</th>
159 + <th>What to check</th>
160 + <th>Possible action</th>
179 179   </tr>
180 180   </thead>
181 181   <tbody>
182 182   <tr>
183 183   <td>Old project groups</td>
184 - <td>A project ended but access may still be active</td>
185 - <td>Confirm whether the group is still needed</td>
166 + <td>Groups created for projects that ended</td>
167 + <td>Remove access, archive the group or document why it remains active</td>
186 186   </tr>
187 187   <tr>
188 188   <td>Inactive users</td>
189 - <td>Former employees or old accounts may still have access</td>
190 - <td>Remove from groups or deactivate according to policy</td>
171 + <td>Users who no longer need access</td>
172 + <td>Remove from groups or deactivate accounts according to policy</td>
191 191   </tr>
192 192   <tr>
193 193   <td>Unclear group names</td>
194 - <td>Nobody can easily explain what the group controls</td>
195 - <td>Document, rename or consolidate</td>
176 + <td>Groups whose purpose is not obvious</td>
177 + <td>Rename, document or consolidate</td>
196 196   </tr>
197 197   <tr>
198 198   <td>Overloaded groups</td>
199 - <td>One group controls too many unrelated areas</td>
181 + <td>Groups used for too many unrelated areas</td>
200 200   <td>Split into clearer role-based or area-based groups</td>
201 201   </tr>
202 202   <tr>
203 203   <td>Admin groups</td>
204 - <td>Powerful rights may be granted too broadly</td>
205 - <td>Review membership separately</td>
186 + <td>Groups with powerful rights</td>
187 + <td>Review membership separately and keep it limited</td>
206 206   </tr>
207 207   </tbody>
208 208   </table>
... ... @@ -216,13 +216,13 @@
216 216  
217 217   <p>
218 218   The following Velocity snippet can help you start the review by listing pages that contain local
219 - <code>XWiki.XWikiRights</code> objects. It is not a complete audit. It gives you a practical first list of
220 - pages where local rights may exist.
201 + <code>XWiki.XWikiRights</code> objects. It is not a complete audit, but it gives you a practical first list of
202 + places where local rights may exist.
221 221   </p>
222 222  {{/html}}
223 -{{/velocity}}
224 224  
225 -{{code language="velocity"}}
206 +
207 +{{code}}
226 226  #set ($query = "from doc.object(XWiki.XWikiRights) rights order by doc.fullName asc")
227 227  #set ($pages = $services.query.xwql($query).execute())
228 228  
... ... @@ -229,44 +229,29 @@
229 229  #if ($pages.isEmpty())
230 230   No pages with local XWiki rights were found.
231 231  #else
232 - |= Page |= Review note
214 + |= Page |= Local rights found
233 233   #foreach ($page in $pages)
234 - | [[$page]] | Local rights configured
216 + | [[$page]] | yes
235 235   #end
236 236  #end
237 237  {{/code}}
238 238  
239 -{{velocity}}
240 -{{html clean="false"}}
241 - <h2 id="interpret-results">4. How to interpret the result</h2>
242 242  
222 +{{html clean="false"}}
243 243   <p>
244 - The result should be treated as a review queue, not as a final answer. Each page should be checked in context:
245 - why local rights were added, who is affected, whether the rights apply only to one page or to a hierarchy, and
246 - whether the exception is still needed.
224 + Use the result as a starting point. Each page should be reviewed in context: why local rights were added, which
225 + users or groups are affected, whether rights apply only to that page or to a hierarchy, and whether the exception
226 + is still needed.
247 247   </p>
248 248  
249 249   <div class="resource-note">
250 250   <p>
251 - <strong>What this snippet helps you find:</strong> pages where local rights may override the expected inherited
252 - model, old restricted areas, project spaces with special access rules and confidential pages that should have
253 - a clear owner.
231 + <strong>Important:</strong> a list of pages with local rights does not tell the full story. You still need to
232 + interpret inherited permissions, groups, explicit allow or deny rules, wiki-level rights and sensitive rights
233 + such as admin, script or programming.
254 254   </p>
255 255   </div>
256 256  
257 - <div class="resource-note">
258 - <p>
259 - <strong>What this snippet does not tell you:</strong> whether the rights are correct, whether the groups are
260 - still valid, whether the users inside those groups still need access, or whether inherited permissions already
261 - grant access from a parent page.
262 - </p>
263 - </div>
264 -
265 - <p>
266 - A page appearing in this list is not automatically a problem. It simply means that the page deserves a closer
267 - look during the first-pass review.
268 - </p>
269 -
270 270   <div class="resource-inline-cta">
271 271   <p>
272 272   <strong>Not sure where local rights are hidden?</strong>
... ... @@ -273,10 +273,10 @@
273 273   A focused access-rights review can help identify local exceptions, inherited permissions, old groups and
274 274   sensitive rights that should be cleaned up or documented.
275 275   </p>
276 - <a class="btn btn-default" href="$xwiki.getURL('contact.WebHome')">Request an access review</a>
243 + <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request an access review</a>
277 277   </div>
278 278  
279 - <h2 id="sensitive-rights">5. Review sensitive rights separately</h2>
246 + <h2 id="sensitive-rights">4. Pay special attention to sensitive rights</h2>
280 280  
281 281   <p>
282 282   Not all rights have the same impact. View, comment and edit rights affect content collaboration. Administration,
... ... @@ -326,34 +326,16 @@
326 326   </tbody>
327 327   </table>
328 328  
329 - <h2 id="common-findings">Common findings during a first review</h2>
296 + <h2 id="document-findings">5. Document the findings</h2>
330 330  
331 331   <p>
332 - A first-pass review often reveals patterns that are not obvious from normal daily use. These findings do not
333 - always mean that the instance is unsafe, but they usually deserve clarification.
334 - </p>
335 -
336 - <ul class="resource-checklist">
337 - <li>Pages restricted years ago for a project that no longer exists.</li>
338 - <li>Groups created for temporary access that still grant view or edit rights.</li>
339 - <li>Direct user rights added because creating a proper group felt too heavy at the time.</li>
340 - <li>Admin or script rights granted to users who no longer maintain the platform.</li>
341 - <li>Restricted spaces without a clear business owner.</li>
342 - <li>External users still present in groups after the collaboration ended.</li>
343 - <li>Local page rights added to solve an urgent issue, but never reviewed again.</li>
344 - <li>Group synchronization from LDAP, SSO, OIDC or SAML that no longer matches the expected wiki access model.</li>
345 - </ul>
346 -
347 - <h2 id="document-findings">6. Document findings before changing permissions</h2>
348 -
349 - <p>
350 350   An access-rights review should not end with a few manual changes. The result should be documented so that the
351 351   next administrator understands what was found, what was changed and what still needs attention.
352 352   </p>
353 353  
354 354   <p>
355 - A simple review register is enough for a first pass. The goal is to record the affected area, the current access
356 - model, the concern, the owner and the recommended action.
304 + A simple review register can be enough. The goal is to record the affected area, the current access model, the
305 + risk, the owner and the recommended action.
357 357   </p>
358 358  
359 359   <table class="table table-bordered table-striped">
... ... @@ -387,11 +387,11 @@
387 387   </tbody>
388 388   </table>
389 389  
390 - <h2 id="review-checklist">XWiki access-rights first-pass checklist</h2>
339 + <h2 id="review-checklist">XWiki access-rights review checklist</h2>
391 391  
392 392   <p>
393 393   A practical review should combine technical checks with governance questions. The following checklist can be
394 - used before changing permissions in production.
343 + used as a starting point before changing permissions in production.
395 395   </p>
396 396  
397 397   <ul class="resource-checklist">
... ... @@ -404,7 +404,7 @@
404 404   <li>Review admin, script and programming rights separately.</li>
405 405   <li>Check authentication and group synchronization if LDAP, SSO, OIDC or SAML is used.</li>
406 406   <li>Document findings, owners, risks and recommended actions.</li>
407 - <li>Only then decide what should be cleaned up, simplified or reviewed with the business owner.</li>
356 + <li>Schedule a periodic access-rights review.</li>
408 408   </ul>
409 409  
410 410   <h2 id="access-review-faq">XWiki access-rights review FAQ</h2>
... ... @@ -451,19 +451,14 @@
451 451   </p>
452 452   </details>
453 453  
454 - <div class="resource-note related-resources">
455 - <p><strong>Related resources:</strong></p>
456 - <ul>
457 - <li>
458 - <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">Why XWiki access rights need a clear governance model</a>
459 - </li>
460 - <li>
461 - <a href="$xwiki.getURL('resources.xwiki-security-review')">What an XWiki security review should actually include</a>
462 - </li>
463 - <li>
464 - <a href="$xwiki.getURL('resources.why-upgrade-xwiki')">Why regular XWiki upgrades matter</a>
465 - </li>
466 - </ul>
403 + <div class="resource-note">
404 + <p>
405 + Related resources:
406 + <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">why XWiki access rights need a clear governance model</a>,
407 + <a href="$xwiki.getURL('resources.xwiki-security-review')">what an XWiki security review should actually include</a>
408 + and
409 + <a href="$xwiki.getURL('resources.why-upgrade-xwiki')">why regular XWiki upgrades matter</a>.
410 + </p>
467 467   </div>
468 468  
469 469   <div class="resource-cta">