Skip to Content
Last modified by Agnease on 2026/06/08 18:37
From version 2.5
edited by Agnease
on 2026/06/08 18:05
Change comment: There is no comment for this version
To version 2.12
edited by Agnease
on 2026/06/08 18:37
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -11,10 +11,10 @@
11 11   </div>
12 12   </div>
13 13  
14 - <h1 id="hero-title">How to start an XWiki access-rights review</h1>
14 + <h1 id="hero-title">A first-pass XWiki access-rights audit before changing permissions</h1>
15 15  
16 16   <p class="resource-summary">
17 - A practical first step for identifying local rights, old groups, sensitive permissions and unclear access exceptions
17 + A practical way to identify local rights, old groups, sensitive permissions and unclear access exceptions
18 18   before they become a security or maintenance problem.
19 19   </p>
20 20   </div>
... ... @@ -27,12 +27,14 @@
27 27   <aside class="resource-sidebar" aria-label="Page summary">
28 28   <h4>In this guide</h4>
29 29   <ul>
30 - <li><a href="#why-review">Why review access rights</a></li>
31 - <li><a href="#access-model">Start with the model</a></li>
32 - <li><a href="#review-groups">Review groups</a></li>
33 - <li><a href="#find-local-rights">Find local rights</a></li>
34 - <li><a href="#sensitive-rights">Sensitive rights</a></li>
35 - <li><a href="#document-findings">Document findings</a></li>
30 + <li><a href="#starting-point">Where to start</a></li>
31 + <li><a href="#first-pass-audit">First-pass audit</a></li>
32 + <li><a href="#access-model">Access areas</a></li>
33 + <li><a href="#review-groups">Groups and users</a></li>
34 + <li><a href="#find-local-rights">Local rights snippet</a></li>
35 + <li><a href="#interpret-results">How to interpret results</a></li>
36 + <li><a href="#common-findings">Common findings</a></li>
37 + <li><a href="#document-findings">Review register</a></li>
36 36   <li><a href="#review-checklist">Checklist</a></li>
37 37   <li><a href="#access-review-faq">FAQ</a></li>
38 38   </ul>
... ... @@ -41,6 +41,11 @@
41 41   <article class="resource-content">
42 42  
43 43   <p>
46 + When I review an existing XWiki instance, I do not start by changing permissions. I first try to understand
47 + where access rules have accumulated over time.
48 + </p>
49 +
50 + <p>
44 44   Many XWiki permission issues are not visible from the homepage. Users can log in, pages can be edited,
45 45   search can work correctly, and the wiki may still contain access rules that nobody fully understands anymore.
46 46   </p>
... ... @@ -52,53 +52,63 @@
52 52  
53 53   <div class="resource-note">
54 54   <p>
55 - <strong>In practice:</strong> an XWiki access-rights review should start by understanding the intended
56 - access model, then checking groups, local page rights, inherited permissions, powerful rights, inactive users
57 - and undocumented exceptions.
62 + <strong>In practice:</strong> the first review should not try to rebuild the whole permission model.
63 + It should identify risky areas, unclear exceptions, old groups and sensitive rights that need a closer look.
58 58   </p>
59 59   </div>
60 60  
67 + <h2 id="starting-point">Where to start in a real XWiki instance</h2>
68 +
61 61   <p>
62 - An XWiki access-rights review is a structured check of how users and groups receive permissions across the wiki.
63 - It helps administrators understand who can access what, why access was granted, which permissions are inherited,
64 - and where local exceptions may create risk or confusion.
70 + The first signs of a messy access model are usually simple: many groups with unclear names, rights assigned
71 + directly to users, restricted pages without an owner, old project spaces and powerful rights granted to people
72 + who no longer administer the platform.
65 65   </p>
66 66  
75 + <p>
76 + At this stage, the goal is not to decide whether every permission is correct. The goal is to build a map:
77 + which areas are sensitive, where local rights exist, which groups matter, and which findings should be reviewed
78 + before the next upgrade, migration or authentication change.
79 + </p>
80 +
67 67   <div class="resource-note">
68 68   <p>
69 - <strong>The main point:</strong> the goal is not only to find permission problems. The goal is to make the
70 - access model easier to explain, maintain and review over time.
83 + <strong>The main point:</strong> a useful access-rights review should answer more than “can this user access
84 + this page?” It should also answer “why do they have access, which group grants it, who owns the area and when
85 + should this be reviewed again?”
71 71   </p>
72 72   </div>
73 73  
74 - <h2 id="why-review">Why an access-rights review matters</h2>
75 -
76 76   <p>
77 - XWiki is often used for internal knowledge, project documentation, procedures, HR content, customer information,
78 - technical documentation, controlled documents or business-critical workflows. When the content becomes important,
79 - the access model becomes important too.
90 + For a broader view of security-related checks, see
91 + <a href="$xwiki.getURL('resources.xwiki-security-review')">what an XWiki security review should actually include</a>.
80 80   </p>
81 81  
82 - <p>
83 - A permission setup can be technically valid and still be difficult to govern. For example, rights may be assigned
84 - to individual users instead of groups, old project groups may still have access, or page-level exceptions may
85 - override the expected inherited model.
86 - </p>
94 + <h2 id="first-pass-audit">A practical first-pass audit</h2>
87 87  
88 88   <p>
89 - For a broader view of security-related checks, see
90 - <a href="$xwiki.getURL('resources.xwiki-security-review')">what an XWiki security review should actually include</a>.
97 + A first-pass audit should be safe and observational. Before changing anything in production, collect enough
98 + information to understand the current model and the areas that need attention.
91 91   </p>
92 92  
93 - <h2 id="access-model">1. Start with the access model, not with the UI</h2>
101 + <ul class="resource-checklist">
102 + <li>Do not change permissions before understanding why they exist.</li>
103 + <li>Identify the main areas of the wiki: open, internal, restricted, confidential and administrative.</li>
104 + <li>List the groups that seem to control access to these areas.</li>
105 + <li>Look for direct user rights and local page-level exceptions.</li>
106 + <li>Review admin, script and programming rights separately from normal edit rights.</li>
107 + <li>Document what is unclear instead of guessing.</li>
108 + </ul>
94 94  
110 + <h2 id="access-model">1. Start with access areas, not individual pages</h2>
111 +
95 95   <p>
96 - Before changing permissions, clarify what the wiki should look like from an access perspective. Otherwise,
97 - the review becomes a list of isolated technical checks without a clear target.
113 + Before reviewing individual permissions, clarify what the wiki should look like from an access perspective.
114 + Otherwise, the review becomes a list of isolated technical checks without a clear target.
98 98   </p>
99 99  
100 100   <p>
101 - A simple model is often enough. Separate the wiki into clear areas such as open internal knowledge,
118 + A simple access map is often enough. Separate the wiki into clear areas such as open internal knowledge,
102 102   team spaces, restricted projects, confidential documents, technical administration pages and external
103 103   collaboration areas.
104 104   </p>
... ... @@ -108,7 +108,7 @@
108 108   <tr>
109 109   <th>Area type</th>
110 110   <th>Typical access</th>
111 - <th>Review question</th>
128 + <th>First review question</th>
112 112   </tr>
113 113   </thead>
114 114   <tbody>
... ... @@ -149,42 +149,43 @@
149 149  
150 150   <p>
151 151   Start by reviewing which groups exist, what they are used for and whether their members still match the intended
152 - access model.
169 + access model. Group names often tell part of the story: old project names, temporary access groups and unclear
170 + role names are good signals that the access model needs cleanup.
153 153   </p>
154 154  
155 155   <table class="table table-bordered table-striped">
156 156   <thead>
157 157   <tr>
158 - <th>Group review item</th>
159 - <th>What to check</th>
160 - <th>Possible action</th>
176 + <th>Group signal</th>
177 + <th>What it may indicate</th>
178 + <th>First action</th>
161 161   </tr>
162 162   </thead>
163 163   <tbody>
164 164   <tr>
165 165   <td>Old project groups</td>
166 - <td>Groups created for projects that ended</td>
167 - <td>Remove access, archive the group or document why it remains active</td>
184 + <td>A project ended but access may still be active</td>
185 + <td>Confirm whether the group is still needed</td>
168 168   </tr>
169 169   <tr>
170 170   <td>Inactive users</td>
171 - <td>Users who no longer need access</td>
172 - <td>Remove from groups or deactivate accounts according to policy</td>
189 + <td>Former employees or old accounts may still have access</td>
190 + <td>Remove from groups or deactivate according to policy</td>
173 173   </tr>
174 174   <tr>
175 175   <td>Unclear group names</td>
176 - <td>Groups whose purpose is not obvious</td>
177 - <td>Rename, document or consolidate</td>
194 + <td>Nobody can easily explain what the group controls</td>
195 + <td>Document, rename or consolidate</td>
178 178   </tr>
179 179   <tr>
180 180   <td>Overloaded groups</td>
181 - <td>Groups used for too many unrelated areas</td>
199 + <td>One group controls too many unrelated areas</td>
182 182   <td>Split into clearer role-based or area-based groups</td>
183 183   </tr>
184 184   <tr>
185 185   <td>Admin groups</td>
186 - <td>Groups with powerful rights</td>
187 - <td>Review membership separately and keep it limited</td>
204 + <td>Powerful rights may be granted too broadly</td>
205 + <td>Review membership separately</td>
188 188   </tr>
189 189   </tbody>
190 190   </table>
... ... @@ -198,40 +198,57 @@
198 198  
199 199   <p>
200 200   The following Velocity snippet can help you start the review by listing pages that contain local
201 - <code>XWiki.XWikiRights</code> objects. It is not a complete audit, but it gives you a practical first list of
202 - places where local rights may exist.
219 + <code>XWiki.XWikiRights</code> objects. It is not a complete audit. It gives you a practical first list of
220 + pages where local rights may exist.
203 203   </p>
204 204  {{/html}}
223 +{{/velocity}}
205 205  
206 206  {{code language="velocity"}}
207 -#set ($query = "select distinct doc.fullName from XWikiDocument doc, BaseObject obj where obj.name = doc.fullName and obj.className = 'XWiki.XWikiRights' order by doc.fullName asc")
226 +#set ($query = "from doc.object(XWiki.XWikiRights) rights order by doc.fullName asc")
208 208  #set ($pages = $services.query.xwql($query).execute())
209 209  
210 210  #if ($pages.isEmpty())
211 211   No pages with local XWiki rights were found.
212 212  #else
213 - |= Page |= Local rights found
232 + |= Page |= Review note
214 214   #foreach ($page in $pages)
215 - | [[$page]] | yes
234 + | [[$page]] | Local rights configured
216 216   #end
217 217  #end
218 218  {{/code}}
219 219  
239 +{{velocity}}
220 220  {{html clean="false"}}
241 + <h2 id="interpret-results">4. How to interpret the result</h2>
242 +
221 221   <p>
222 - Use the result as a starting point. Each page should be reviewed in context: why local rights were added, which
223 - users or groups are affected, whether rights apply only to that page or to a hierarchy, and whether the exception
224 - is still needed.
244 + The result should be treated as a review queue, not as a final answer. Each page should be checked in context:
245 + why local rights were added, who is affected, whether the rights apply only to one page or to a hierarchy, and
246 + whether the exception is still needed.
225 225   </p>
226 226  
227 227   <div class="resource-note">
228 228   <p>
229 - <strong>Important:</strong> a list of pages with local rights does not tell the full story. You still need to
230 - interpret inherited permissions, groups, explicit allow or deny rules, wiki-level rights and sensitive rights
231 - such as admin, script or programming.
251 + <strong>What this snippet helps you find:</strong> pages where local rights may override the expected inherited
252 + model, old restricted areas, project spaces with special access rules and confidential pages that should have
253 + a clear owner.
232 232   </p>
233 233   </div>
234 234  
257 + <div class="resource-note">
258 + <p>
259 + <strong>What this snippet does not tell you:</strong> whether the rights are correct, whether the groups are
260 + still valid, whether the users inside those groups still need access, or whether inherited permissions already
261 + grant access from a parent page.
262 + </p>
263 + </div>
264 +
265 + <p>
266 + A page appearing in this list is not automatically a problem. It simply means that the page deserves a closer
267 + look during the first-pass review.
268 + </p>
269 +
235 235   <div class="resource-inline-cta">
236 236   <p>
237 237   <strong>Not sure where local rights are hidden?</strong>
... ... @@ -238,10 +238,10 @@
238 238   A focused access-rights review can help identify local exceptions, inherited permissions, old groups and
239 239   sensitive rights that should be cleaned up or documented.
240 240   </p>
241 - <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request an access review</a>
276 + <a class="btn btn-default" href="$xwiki.getURL('contact.WebHome')">Request an access review</a>
242 242   </div>
243 243  
244 - <h2 id="sensitive-rights">4. Pay special attention to sensitive rights</h2>
279 + <h2 id="sensitive-rights">5. Review sensitive rights separately</h2>
245 245  
246 246   <p>
247 247   Not all rights have the same impact. View, comment and edit rights affect content collaboration. Administration,
... ... @@ -291,16 +291,34 @@
291 291   </tbody>
292 292   </table>
293 293  
294 - <h2 id="document-findings">5. Document the findings</h2>
329 + <h2 id="common-findings">Common findings during a first review</h2>
295 295  
296 296   <p>
332 + A first-pass review often reveals patterns that are not obvious from normal daily use. These findings do not
333 + always mean that the instance is unsafe, but they usually deserve clarification.
334 + </p>
335 +
336 + <ul class="resource-checklist">
337 + <li>Pages restricted years ago for a project that no longer exists.</li>
338 + <li>Groups created for temporary access that still grant view or edit rights.</li>
339 + <li>Direct user rights added because creating a proper group felt too heavy at the time.</li>
340 + <li>Admin or script rights granted to users who no longer maintain the platform.</li>
341 + <li>Restricted spaces without a clear business owner.</li>
342 + <li>External users still present in groups after the collaboration ended.</li>
343 + <li>Local page rights added to solve an urgent issue, but never reviewed again.</li>
344 + <li>Group synchronization from LDAP, SSO, OIDC or SAML that no longer matches the expected wiki access model.</li>
345 + </ul>
346 +
347 + <h2 id="document-findings">6. Document findings before changing permissions</h2>
348 +
349 + <p>
297 297   An access-rights review should not end with a few manual changes. The result should be documented so that the
298 298   next administrator understands what was found, what was changed and what still needs attention.
299 299   </p>
300 300  
301 301   <p>
302 - A simple review register can be enough. The goal is to record the affected area, the current access model, the
303 - risk, the owner and the recommended action.
355 + A simple review register is enough for a first pass. The goal is to record the affected area, the current access
356 + model, the concern, the owner and the recommended action.
304 304   </p>
305 305  
306 306   <table class="table table-bordered table-striped">
... ... @@ -334,11 +334,11 @@
334 334   </tbody>
335 335   </table>
336 336  
337 - <h2 id="review-checklist">XWiki access-rights review checklist</h2>
390 + <h2 id="review-checklist">XWiki access-rights first-pass checklist</h2>
338 338  
339 339   <p>
340 340   A practical review should combine technical checks with governance questions. The following checklist can be
341 - used as a starting point before changing permissions in production.
394 + used before changing permissions in production.
342 342   </p>
343 343  
344 344   <ul class="resource-checklist">
... ... @@ -351,7 +351,7 @@
351 351   <li>Review admin, script and programming rights separately.</li>
352 352   <li>Check authentication and group synchronization if LDAP, SSO, OIDC or SAML is used.</li>
353 353   <li>Document findings, owners, risks and recommended actions.</li>
354 - <li>Schedule a periodic access-rights review.</li>
407 + <li>Only then decide what should be cleaned up, simplified or reviewed with the business owner.</li>
355 355   </ul>
356 356  
357 357   <h2 id="access-review-faq">XWiki access-rights review FAQ</h2>
... ... @@ -398,14 +398,19 @@
398 398   </p>
399 399   </details>
400 400  
401 - <div class="resource-note">
402 - <p>
403 - Related resources:
404 - <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">why XWiki access rights need a clear governance model</a>,
405 - <a href="$xwiki.getURL('resources.xwiki-security-review')">what an XWiki security review should actually include</a>
406 - and
407 - <a href="$xwiki.getURL('resources.why-upgrade-xwiki')">why regular XWiki upgrades matter</a>.
408 - </p>
454 + <div class="resource-note related-resources">
455 + <p><strong>Related resources:</strong></p>
456 + <ul>
457 + <li>
458 + <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">Why XWiki access rights need a clear governance model</a>
459 + </li>
460 + <li>
461 + <a href="$xwiki.getURL('resources.xwiki-security-review')">What an XWiki security review should actually include</a>
462 + </li>
463 + <li>
464 + <a href="$xwiki.getURL('resources.why-upgrade-xwiki')">Why regular XWiki upgrades matter</a>
465 + </li>
466 + </ul>
409 409   </div>
410 410  
411 411   <div class="resource-cta">