Skip to Content
Last modified by Agnease on 2026/06/08 18:37
From version 2.3
edited by Agnease
on 2026/06/08 18:04
Change comment: There is no comment for this version
To version 1.1
edited by Agnease
on 2026/06/08 18:00
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 -How to start an XWiki access-rights review
1 +xwiki-access-rights-review
Content
... ... @@ -1,473 +1,0 @@
1 -{{velocity}}
2 -#set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3 -{{html clean="false"}}
4 -
5 - <section class="resource-header" aria-labelledby="hero-title">
6 - <div class="container">
7 - <div class="text-center">
8 - <div class="hero-kicker">
9 - <i class="fa fa-search" aria-hidden="true"></i>
10 - XWiki access-rights review
11 - </div>
12 - </div>
13 -
14 - <h1 id="hero-title">How to start an XWiki access-rights review</h1>
15 -
16 - <p class="resource-summary">
17 - A practical first step for identifying local rights, old groups, sensitive permissions and unclear access exceptions
18 - before they become a security or maintenance problem.
19 - </p>
20 - </div>
21 - </section>
22 -
23 - <section class="resource-page">
24 - <div class="container">
25 - <div class="resource-layout">
26 -
27 - <aside class="resource-sidebar" aria-label="Page summary">
28 - <h4>In this guide</h4>
29 - <ul>
30 - <li><a href="#why-review">Why review access rights</a></li>
31 - <li><a href="#access-model">Start with the model</a></li>
32 - <li><a href="#review-groups">Review groups</a></li>
33 - <li><a href="#find-local-rights">Find local rights</a></li>
34 - <li><a href="#sensitive-rights">Sensitive rights</a></li>
35 - <li><a href="#document-findings">Document findings</a></li>
36 - <li><a href="#review-checklist">Checklist</a></li>
37 - <li><a href="#access-review-faq">FAQ</a></li>
38 - </ul>
39 - </aside>
40 -
41 - <article class="resource-content">
42 -
43 - <p>
44 - Many XWiki permission issues are not visible from the homepage. Users can log in, pages can be edited,
45 - search can work correctly, and the wiki may still contain access rules that nobody fully understands anymore.
46 - </p>
47 -
48 - <p>
49 - This usually happens slowly. A team needs access, a page is restricted, a group is created, an exception is
50 - added, an external user is invited, and after a few years the access model becomes difficult to explain.
51 - </p>
52 -
53 - <div class="resource-note">
54 - <p>
55 - <strong>In practice:</strong> an XWiki access-rights review should start by understanding the intended
56 - access model, then checking groups, local page rights, inherited permissions, powerful rights, inactive users
57 - and undocumented exceptions.
58 - </p>
59 - </div>
60 -
61 - <p>
62 - An XWiki access-rights review is a structured check of how users and groups receive permissions across the wiki.
63 - It helps administrators understand who can access what, why access was granted, which permissions are inherited,
64 - and where local exceptions may create risk or confusion.
65 - </p>
66 -
67 - <div class="resource-note">
68 - <p>
69 - <strong>The main point:</strong> the goal is not only to find permission problems. The goal is to make the
70 - access model easier to explain, maintain and review over time.
71 - </p>
72 - </div>
73 -
74 - <h2 id="why-review">Why an access-rights review matters</h2>
75 -
76 - <p>
77 - XWiki is often used for internal knowledge, project documentation, procedures, HR content, customer information,
78 - technical documentation, controlled documents or business-critical workflows. When the content becomes important,
79 - the access model becomes important too.
80 - </p>
81 -
82 - <p>
83 - A permission setup can be technically valid and still be difficult to govern. For example, rights may be assigned
84 - to individual users instead of groups, old project groups may still have access, or page-level exceptions may
85 - override the expected inherited model.
86 - </p>
87 -
88 - <p>
89 - For a broader view of security-related checks, see
90 - <a href="$xwiki.getURL('resources.xwiki-security-review')">what an XWiki security review should actually include</a>.
91 - </p>
92 -
93 - <h2 id="access-model">1. Start with the access model, not with the UI</h2>
94 -
95 - <p>
96 - Before changing permissions, clarify what the wiki should look like from an access perspective. Otherwise,
97 - the review becomes a list of isolated technical checks without a clear target.
98 - </p>
99 -
100 - <p>
101 - A simple model is often enough. Separate the wiki into clear areas such as open internal knowledge,
102 - team spaces, restricted projects, confidential documents, technical administration pages and external
103 - collaboration areas.
104 - </p>
105 -
106 - <table class="table table-bordered table-striped">
107 - <thead>
108 - <tr>
109 - <th>Area type</th>
110 - <th>Typical access</th>
111 - <th>Review question</th>
112 - </tr>
113 - </thead>
114 - <tbody>
115 - <tr>
116 - <td>Open internal knowledge</td>
117 - <td>Most authenticated users can view, selected users can edit</td>
118 - <td>Is this content really safe for broad internal access?</td>
119 - </tr>
120 - <tr>
121 - <td>Team or project spaces</td>
122 - <td>Team members can edit, others may only view</td>
123 - <td>Are the groups still aligned with the current team?</td>
124 - </tr>
125 - <tr>
126 - <td>Restricted projects</td>
127 - <td>Only selected groups can view or edit</td>
128 - <td>Is access granted through groups or individual users?</td>
129 - </tr>
130 - <tr>
131 - <td>Confidential documents</td>
132 - <td>Small controlled group</td>
133 - <td>Who owns the restriction and when was it last reviewed?</td>
134 - </tr>
135 - <tr>
136 - <td>Technical administration pages</td>
137 - <td>Trusted administrators only</td>
138 - <td>Are admin, script and programming rights limited?</td>
139 - </tr>
140 - </tbody>
141 - </table>
142 -
143 - <h2 id="review-groups">2. Review groups before reviewing pages</h2>
144 -
145 - <p>
146 - In most XWiki instances, groups should be the foundation of the permission model. Rights assigned directly to
147 - individual users are harder to maintain because people change roles, leave the organization or move between teams.
148 - </p>
149 -
150 - <p>
151 - Start by reviewing which groups exist, what they are used for and whether their members still match the intended
152 - access model.
153 - </p>
154 -
155 - <table class="table table-bordered table-striped">
156 - <thead>
157 - <tr>
158 - <th>Group review item</th>
159 - <th>What to check</th>
160 - <th>Possible action</th>
161 - </tr>
162 - </thead>
163 - <tbody>
164 - <tr>
165 - <td>Old project groups</td>
166 - <td>Groups created for projects that ended</td>
167 - <td>Remove access, archive the group or document why it remains active</td>
168 - </tr>
169 - <tr>
170 - <td>Inactive users</td>
171 - <td>Users who no longer need access</td>
172 - <td>Remove from groups or deactivate accounts according to policy</td>
173 - </tr>
174 - <tr>
175 - <td>Unclear group names</td>
176 - <td>Groups whose purpose is not obvious</td>
177 - <td>Rename, document or consolidate</td>
178 - </tr>
179 - <tr>
180 - <td>Overloaded groups</td>
181 - <td>Groups used for too many unrelated areas</td>
182 - <td>Split into clearer role-based or area-based groups</td>
183 - </tr>
184 - <tr>
185 - <td>Admin groups</td>
186 - <td>Groups with powerful rights</td>
187 - <td>Review membership separately and keep it limited</td>
188 - </tr>
189 - </tbody>
190 - </table>
191 -
192 - <h2 id="find-local-rights">3. Identify pages with local access rights</h2>
193 -
194 - <p>
195 - Local page-level rights are often where surprises appear. They are useful when a page or page hierarchy needs
196 - special access rules, but they can become difficult to manage when they are added repeatedly without documentation.
197 - </p>
198 -
199 - <p>
200 - The following Velocity snippet can help you start the review by listing pages that contain local
201 - <code>XWiki.XWikiRights</code> objects. It is not a complete audit, but it gives you a practical first list of
202 - places where local rights may exist.
203 - </p>
204 -
205 -{{code language="velocity"}}
206 -#set ($query = "select distinct doc.fullName from XWikiDocument doc, BaseObject obj where obj.name = doc.fullName and obj.className = 'XWiki.XWikiRights' order by doc.fullName asc")
207 -#set ($pages = $services.query.xwql($query).execute())
208 -
209 -#if ($pages.isEmpty())
210 - No pages with local XWiki rights were found.
211 -#else
212 - |= Page |= Local rights found
213 - #foreach ($page in $pages)
214 - | [[$page]] | yes
215 - #end
216 -#end
217 -{{/code}}
218 -
219 - <p>
220 - Use the result as a starting point. Each page should be reviewed in context: why local rights were added, which
221 - users or groups are affected, whether rights apply only to that page or to a hierarchy, and whether the exception
222 - is still needed.
223 - </p>
224 -
225 - <div class="resource-note">
226 - <p>
227 - <strong>Important:</strong> a list of pages with local rights does not tell the full story. You still need to
228 - interpret inherited permissions, groups, explicit allow or deny rules, wiki-level rights and sensitive rights
229 - such as admin, script or programming.
230 - </p>
231 - </div>
232 -
233 - <div class="resource-inline-cta">
234 - <p>
235 - <strong>Not sure where local rights are hidden?</strong>
236 - A focused access-rights review can help identify local exceptions, inherited permissions, old groups and
237 - sensitive rights that should be cleaned up or documented.
238 - </p>
239 - <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request an access review</a>
240 - </div>
241 -
242 - <h2 id="sensitive-rights">4. Pay special attention to sensitive rights</h2>
243 -
244 - <p>
245 - Not all rights have the same impact. View, comment and edit rights affect content collaboration. Administration,
246 - script and programming rights can have a broader technical and security impact and should be reviewed separately.
247 - </p>
248 -
249 - <p>
250 - A user with powerful rights may be able to change configuration, execute advanced scripts, affect other users or
251 - influence how content is rendered. These rights should be granted intentionally, limited to trusted users and
252 - documented as part of the administration model.
253 - </p>
254 -
255 - <table class="table table-bordered table-striped">
256 - <thead>
257 - <tr>
258 - <th>Right type</th>
259 - <th>Why it matters</th>
260 - <th>Review approach</th>
261 - </tr>
262 - </thead>
263 - <tbody>
264 - <tr>
265 - <td>Admin</td>
266 - <td>Can control important wiki configuration and rights</td>
267 - <td>Keep limited and review membership regularly</td>
268 - </tr>
269 - <tr>
270 - <td>Script</td>
271 - <td>Can allow advanced scripting behavior depending on context</td>
272 - <td>Grant only to users who understand the technical impact</td>
273 - </tr>
274 - <tr>
275 - <td>Programming</td>
276 - <td>Can be highly sensitive and should be reserved for trusted technical administrators</td>
277 - <td>Review separately from normal editing permissions</td>
278 - </tr>
279 - <tr>
280 - <td>Edit</td>
281 - <td>Allows content changes and may affect business processes</td>
282 - <td>Assign through groups and validate restricted areas</td>
283 - </tr>
284 - <tr>
285 - <td>View</td>
286 - <td>Controls access to content and confidential information</td>
287 - <td>Review public, internal and restricted areas carefully</td>
288 - </tr>
289 - </tbody>
290 - </table>
291 -
292 - <h2 id="document-findings">5. Document the findings</h2>
293 -
294 - <p>
295 - An access-rights review should not end with a few manual changes. The result should be documented so that the
296 - next administrator understands what was found, what was changed and what still needs attention.
297 - </p>
298 -
299 - <p>
300 - A simple review register can be enough. The goal is to record the affected area, the current access model, the
301 - risk, the owner and the recommended action.
302 - </p>
303 -
304 - <table class="table table-bordered table-striped">
305 - <thead>
306 - <tr>
307 - <th>Area or page</th>
308 - <th>Current access</th>
309 - <th>Risk or concern</th>
310 - <th>Recommended action</th>
311 - <th>Owner</th>
312 - <th>Review date</th>
313 - </tr>
314 - </thead>
315 - <tbody>
316 - <tr>
317 - <td>Example.ProjectSpace</td>
318 - <td>Old project group can still view</td>
319 - <td>Project ended, access may no longer be needed</td>
320 - <td>Confirm owner and remove group if obsolete</td>
321 - <td>Project owner</td>
322 - <td>YYYY-MM-DD</td>
323 - </tr>
324 - <tr>
325 - <td>Example.ConfidentialDocs</td>
326 - <td>Individual users have direct rights</td>
327 - <td>Difficult to maintain when roles change</td>
328 - <td>Move access to a dedicated group</td>
329 - <td>Content owner</td>
330 - <td>YYYY-MM-DD</td>
331 - </tr>
332 - </tbody>
333 - </table>
334 -
335 - <h2 id="review-checklist">XWiki access-rights review checklist</h2>
336 -
337 - <p>
338 - A practical review should combine technical checks with governance questions. The following checklist can be
339 - used as a starting point before changing permissions in production.
340 - </p>
341 -
342 - <ul class="resource-checklist">
343 - <li>Identify public, internal, restricted and administrative areas.</li>
344 - <li>List active groups and clarify what each group is used for.</li>
345 - <li>Review old groups, inactive users and temporary access.</li>
346 - <li>Identify pages with local XWiki rights objects.</li>
347 - <li>Review page-level exceptions and inherited permissions.</li>
348 - <li>Check whether rights are assigned to groups rather than individual users.</li>
349 - <li>Review admin, script and programming rights separately.</li>
350 - <li>Check authentication and group synchronization if LDAP, SSO, OIDC or SAML is used.</li>
351 - <li>Document findings, owners, risks and recommended actions.</li>
352 - <li>Schedule a periodic access-rights review.</li>
353 - </ul>
354 -
355 - <h2 id="access-review-faq">XWiki access-rights review FAQ</h2>
356 -
357 - <details class="resource-faq-item" open>
358 - <summary>Is listing pages with local rights enough for an access audit?</summary>
359 - <p>
360 - No. It is only a starting point. A complete review should also consider inherited permissions, group
361 - membership, wiki-level rights, explicit allow or deny rules, sensitive rights and the business reason behind
362 - each restricted area.
363 - </p>
364 - </details>
365 -
366 - <details class="resource-faq-item">
367 - <summary>Should XWiki rights be assigned directly to users?</summary>
368 - <p>
369 - In most cases, rights should be assigned through groups. Direct user rights can be useful in rare situations,
370 - but they are harder to maintain and should be reviewed carefully.
371 - </p>
372 - </details>
373 -
374 - <details class="resource-faq-item">
375 - <summary>What is the most common access-rights problem in XWiki?</summary>
376 - <p>
377 - A common issue is the accumulation of undocumented exceptions: old groups, page-level rights, inherited
378 - permissions and direct user rights that were correct at the time but are no longer clearly understood.
379 - </p>
380 - </details>
381 -
382 - <details class="resource-faq-item">
383 - <summary>Should access rights be reviewed before an XWiki upgrade?</summary>
384 - <p>
385 - Yes. Upgrades are a good moment to review permissions, especially for business-critical instances. The review
386 - can reveal old groups, sensitive rights, custom scripts and restricted areas that should be validated during
387 - the upgrade process.
388 - </p>
389 - </details>
390 -
391 - <details class="resource-faq-item">
392 - <summary>Does SSO replace an access-rights review?</summary>
393 - <p>
394 - No. SSO helps authenticate users, but XWiki authorization still depends on groups, rights, inheritance and
395 - page-level exceptions. Authentication and access control should be reviewed together.
396 - </p>
397 - </details>
398 -
399 - <div class="resource-note">
400 - <p>
401 - Related resources:
402 - <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">why XWiki access rights need a clear governance model</a>,
403 - <a href="$xwiki.getURL('resources.xwiki-security-review')">what an XWiki security review should actually include</a>
404 - and
405 - <a href="$xwiki.getURL('resources.why-upgrade-xwiki')">why regular XWiki upgrades matter</a>.
406 - </p>
407 - </div>
408 -
409 - <div class="resource-cta">
410 - <h3>Need help reviewing XWiki access rights?</h3>
411 - <p>
412 - If your XWiki instance has grown over time, uses many groups, contains restricted areas or depends on LDAP,
413 - SSO, OIDC or SAML, an access-rights review can help identify unclear permissions and define a safer model.
414 - </p>
415 - <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request an access-rights review</a>
416 - </div>
417 -
418 - </article>
419 - </div>
420 - </div>
421 - </section>
422 -
423 - <script type="application/ld+json">
424 - {
425 - "@context": "https://schema.org",
426 - "@type": "FAQPage",
427 - "mainEntity": [
428 - {
429 - "@type": "Question",
430 - "name": "Is listing pages with local rights enough for an access audit?",
431 - "acceptedAnswer": {
432 - "@type": "Answer",
433 - "text": "No. It is only a starting point. A complete review should also consider inherited permissions, group membership, wiki-level rights, explicit allow or deny rules, sensitive rights and the business reason behind each restricted area."
434 - }
435 - },
436 - {
437 - "@type": "Question",
438 - "name": "Should XWiki rights be assigned directly to users?",
439 - "acceptedAnswer": {
440 - "@type": "Answer",
441 - "text": "In most cases, rights should be assigned through groups. Direct user rights can be useful in rare situations, but they are harder to maintain and should be reviewed carefully."
442 - }
443 - },
444 - {
445 - "@type": "Question",
446 - "name": "What is the most common access-rights problem in XWiki?",
447 - "acceptedAnswer": {
448 - "@type": "Answer",
449 - "text": "A common issue is the accumulation of undocumented exceptions: old groups, page-level rights, inherited permissions and direct user rights that were correct at the time but are no longer clearly understood."
450 - }
451 - },
452 - {
453 - "@type": "Question",
454 - "name": "Should access rights be reviewed before an XWiki upgrade?",
455 - "acceptedAnswer": {
456 - "@type": "Answer",
457 - "text": "Yes. Upgrades are a good moment to review permissions, especially for business-critical instances. The review can reveal old groups, sensitive rights, custom scripts and restricted areas that should be validated during the upgrade process."
458 - }
459 - },
460 - {
461 - "@type": "Question",
462 - "name": "Does SSO replace an access-rights review?",
463 - "acceptedAnswer": {
464 - "@type": "Answer",
465 - "text": "No. SSO helps authenticate users, but XWiki authorization still depends on groups, rights, inheritance and page-level exceptions. Authentication and access control should be reviewed together."
466 - }
467 - }
468 - ]
469 - }
470 - </script>
471 -
472 -{{/html}}
473 -{{/velocity}}
Agnease.Code.SEODetailsClass[0]
metaDescription
... ... @@ -1,1 +1,0 @@
1 -Learn how to start an XWiki access-rights review by checking groups, local page rights, inherited permissions, powerful rights, inactive users and documentation gaps.
metaTitle
... ... @@ -1,1 +1,0 @@
1 -How to Start an XWiki Access-Rights Review | Agnease