Skip to Content
Version 2.8 by Agnease on 2026/06/08 18:08
Show last authors
1 {{velocity}}
2 #set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3 {{html clean="false"}}
4
5 <section class="resource-header" aria-labelledby="hero-title">
6 <div class="container">
7 <div class="text-center">
8 <div class="hero-kicker">
9 <i class="fa fa-search" aria-hidden="true"></i>
10 XWiki access-rights review
11 </div>
12 </div>
13
14 <h1 id="hero-title">How to start an XWiki access-rights review</h1>
15
16 <p class="resource-summary">
17 A practical first step for identifying local rights, old groups, sensitive permissions and unclear access exceptions
18 before they become a security or maintenance problem.
19 </p>
20 </div>
21 </section>
22
23 <section class="resource-page">
24 <div class="container">
25 <div class="resource-layout">
26
27 <aside class="resource-sidebar" aria-label="Page summary">
28 <h4>In this guide</h4>
29 <ul>
30 <li><a href="#why-review">Why review access rights</a></li>
31 <li><a href="#access-model">Start with the model</a></li>
32 <li><a href="#review-groups">Review groups</a></li>
33 <li><a href="#find-local-rights">Find local rights</a></li>
34 <li><a href="#sensitive-rights">Sensitive rights</a></li>
35 <li><a href="#document-findings">Document findings</a></li>
36 <li><a href="#review-checklist">Checklist</a></li>
37 <li><a href="#access-review-faq">FAQ</a></li>
38 </ul>
39 </aside>
40
41 <article class="resource-content">
42
43 <p>
44 Many XWiki permission issues are not visible from the homepage. Users can log in, pages can be edited,
45 search can work correctly, and the wiki may still contain access rules that nobody fully understands anymore.
46 </p>
47
48 <p>
49 This usually happens slowly. A team needs access, a page is restricted, a group is created, an exception is
50 added, an external user is invited, and after a few years the access model becomes difficult to explain.
51 </p>
52
53 <div class="resource-note">
54 <p>
55 <strong>In practice:</strong> an XWiki access-rights review should start by understanding the intended
56 access model, then checking groups, local page rights, inherited permissions, powerful rights, inactive users
57 and undocumented exceptions.
58 </p>
59 </div>
60
61 <p>
62 An XWiki access-rights review is a structured check of how users and groups receive permissions across the wiki.
63 It helps administrators understand who can access what, why access was granted, which permissions are inherited,
64 and where local exceptions may create risk or confusion.
65 </p>
66
67 <div class="resource-note">
68 <p>
69 <strong>The main point:</strong> the goal is not only to find permission problems. The goal is to make the
70 access model easier to explain, maintain and review over time.
71 </p>
72 </div>
73
74 <h2 id="why-review">Why an access-rights review matters</h2>
75
76 <p>
77 XWiki is often used for internal knowledge, project documentation, procedures, HR content, customer information,
78 technical documentation, controlled documents or business-critical workflows. When the content becomes important,
79 the access model becomes important too.
80 </p>
81
82 <p>
83 A permission setup can be technically valid and still be difficult to govern. For example, rights may be assigned
84 to individual users instead of groups, old project groups may still have access, or page-level exceptions may
85 override the expected inherited model.
86 </p>
87
88 <p>
89 For a broader view of security-related checks, see
90 <a href="$xwiki.getURL('resources.xwiki-security-review')">what an XWiki security review should actually include</a>.
91 </p>
92
93 <h2 id="access-model">1. Start with the access model, not with the UI</h2>
94
95 <p>
96 Before changing permissions, clarify what the wiki should look like from an access perspective. Otherwise,
97 the review becomes a list of isolated technical checks without a clear target.
98 </p>
99
100 <p>
101 A simple model is often enough. Separate the wiki into clear areas such as open internal knowledge,
102 team spaces, restricted projects, confidential documents, technical administration pages and external
103 collaboration areas.
104 </p>
105
106 <table class="table table-bordered table-striped">
107 <thead>
108 <tr>
109 <th>Area type</th>
110 <th>Typical access</th>
111 <th>Review question</th>
112 </tr>
113 </thead>
114 <tbody>
115 <tr>
116 <td>Open internal knowledge</td>
117 <td>Most authenticated users can view, selected users can edit</td>
118 <td>Is this content really safe for broad internal access?</td>
119 </tr>
120 <tr>
121 <td>Team or project spaces</td>
122 <td>Team members can edit, others may only view</td>
123 <td>Are the groups still aligned with the current team?</td>
124 </tr>
125 <tr>
126 <td>Restricted projects</td>
127 <td>Only selected groups can view or edit</td>
128 <td>Is access granted through groups or individual users?</td>
129 </tr>
130 <tr>
131 <td>Confidential documents</td>
132 <td>Small controlled group</td>
133 <td>Who owns the restriction and when was it last reviewed?</td>
134 </tr>
135 <tr>
136 <td>Technical administration pages</td>
137 <td>Trusted administrators only</td>
138 <td>Are admin, script and programming rights limited?</td>
139 </tr>
140 </tbody>
141 </table>
142
143 <h2 id="review-groups">2. Review groups before reviewing pages</h2>
144
145 <p>
146 In most XWiki instances, groups should be the foundation of the permission model. Rights assigned directly to
147 individual users are harder to maintain because people change roles, leave the organization or move between teams.
148 </p>
149
150 <p>
151 Start by reviewing which groups exist, what they are used for and whether their members still match the intended
152 access model.
153 </p>
154
155 <table class="table table-bordered table-striped">
156 <thead>
157 <tr>
158 <th>Group review item</th>
159 <th>What to check</th>
160 <th>Possible action</th>
161 </tr>
162 </thead>
163 <tbody>
164 <tr>
165 <td>Old project groups</td>
166 <td>Groups created for projects that ended</td>
167 <td>Remove access, archive the group or document why it remains active</td>
168 </tr>
169 <tr>
170 <td>Inactive users</td>
171 <td>Users who no longer need access</td>
172 <td>Remove from groups or deactivate accounts according to policy</td>
173 </tr>
174 <tr>
175 <td>Unclear group names</td>
176 <td>Groups whose purpose is not obvious</td>
177 <td>Rename, document or consolidate</td>
178 </tr>
179 <tr>
180 <td>Overloaded groups</td>
181 <td>Groups used for too many unrelated areas</td>
182 <td>Split into clearer role-based or area-based groups</td>
183 </tr>
184 <tr>
185 <td>Admin groups</td>
186 <td>Groups with powerful rights</td>
187 <td>Review membership separately and keep it limited</td>
188 </tr>
189 </tbody>
190 </table>
191
192 <h2 id="find-local-rights">3. Identify pages with local access rights</h2>
193
194 <p>
195 Local page-level rights are often where surprises appear. They are useful when a page or page hierarchy needs
196 special access rules, but they can become difficult to manage when they are added repeatedly without documentation.
197 </p>
198
199 <p>
200 The following Velocity snippet can help you start the review by listing pages that contain local
201 <code>XWiki.XWikiRights</code> objects. It is not a complete audit, but it gives you a practical first list of
202 places where local rights may exist.
203 </p>
204 {{/html}}
205 {{/velocity}}
206
207 {{code}}
208 #set ($query = "from doc.object(XWiki.XWikiRights) rights order by doc.fullName asc")
209 #set ($pages = $services.query.xwql($query).execute())
210
211 #if ($pages.isEmpty())
212 No pages with local XWiki rights were found.
213 #else
214 |= Page |= Local rights found
215 #foreach ($page in $pages)
216 | [[$page]] | yes
217 #end
218 #end
219 {{/code}}
220
221 {{velocity}}
222 {{html clean="false"}}
223 <p>
224 Use the result as a starting point. Each page should be reviewed in context: why local rights were added, which
225 users or groups are affected, whether rights apply only to that page or to a hierarchy, and whether the exception
226 is still needed.
227 </p>
228
229 <div class="resource-note">
230 <p>
231 <strong>Important:</strong> a list of pages with local rights does not tell the full story. You still need to
232 interpret inherited permissions, groups, explicit allow or deny rules, wiki-level rights and sensitive rights
233 such as admin, script or programming.
234 </p>
235 </div>
236
237 <div class="resource-inline-cta">
238 <p>
239 <strong>Not sure where local rights are hidden?</strong>
240 A focused access-rights review can help identify local exceptions, inherited permissions, old groups and
241 sensitive rights that should be cleaned up or documented.
242 </p>
243 <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request an access review</a>
244 </div>
245
246 <h2 id="sensitive-rights">4. Pay special attention to sensitive rights</h2>
247
248 <p>
249 Not all rights have the same impact. View, comment and edit rights affect content collaboration. Administration,
250 script and programming rights can have a broader technical and security impact and should be reviewed separately.
251 </p>
252
253 <p>
254 A user with powerful rights may be able to change configuration, execute advanced scripts, affect other users or
255 influence how content is rendered. These rights should be granted intentionally, limited to trusted users and
256 documented as part of the administration model.
257 </p>
258
259 <table class="table table-bordered table-striped">
260 <thead>
261 <tr>
262 <th>Right type</th>
263 <th>Why it matters</th>
264 <th>Review approach</th>
265 </tr>
266 </thead>
267 <tbody>
268 <tr>
269 <td>Admin</td>
270 <td>Can control important wiki configuration and rights</td>
271 <td>Keep limited and review membership regularly</td>
272 </tr>
273 <tr>
274 <td>Script</td>
275 <td>Can allow advanced scripting behavior depending on context</td>
276 <td>Grant only to users who understand the technical impact</td>
277 </tr>
278 <tr>
279 <td>Programming</td>
280 <td>Can be highly sensitive and should be reserved for trusted technical administrators</td>
281 <td>Review separately from normal editing permissions</td>
282 </tr>
283 <tr>
284 <td>Edit</td>
285 <td>Allows content changes and may affect business processes</td>
286 <td>Assign through groups and validate restricted areas</td>
287 </tr>
288 <tr>
289 <td>View</td>
290 <td>Controls access to content and confidential information</td>
291 <td>Review public, internal and restricted areas carefully</td>
292 </tr>
293 </tbody>
294 </table>
295
296 <h2 id="document-findings">5. Document the findings</h2>
297
298 <p>
299 An access-rights review should not end with a few manual changes. The result should be documented so that the
300 next administrator understands what was found, what was changed and what still needs attention.
301 </p>
302
303 <p>
304 A simple review register can be enough. The goal is to record the affected area, the current access model, the
305 risk, the owner and the recommended action.
306 </p>
307
308 <table class="table table-bordered table-striped">
309 <thead>
310 <tr>
311 <th>Area or page</th>
312 <th>Current access</th>
313 <th>Risk or concern</th>
314 <th>Recommended action</th>
315 <th>Owner</th>
316 <th>Review date</th>
317 </tr>
318 </thead>
319 <tbody>
320 <tr>
321 <td>Example.ProjectSpace</td>
322 <td>Old project group can still view</td>
323 <td>Project ended, access may no longer be needed</td>
324 <td>Confirm owner and remove group if obsolete</td>
325 <td>Project owner</td>
326 <td>YYYY-MM-DD</td>
327 </tr>
328 <tr>
329 <td>Example.ConfidentialDocs</td>
330 <td>Individual users have direct rights</td>
331 <td>Difficult to maintain when roles change</td>
332 <td>Move access to a dedicated group</td>
333 <td>Content owner</td>
334 <td>YYYY-MM-DD</td>
335 </tr>
336 </tbody>
337 </table>
338
339 <h2 id="review-checklist">XWiki access-rights review checklist</h2>
340
341 <p>
342 A practical review should combine technical checks with governance questions. The following checklist can be
343 used as a starting point before changing permissions in production.
344 </p>
345
346 <ul class="resource-checklist">
347 <li>Identify public, internal, restricted and administrative areas.</li>
348 <li>List active groups and clarify what each group is used for.</li>
349 <li>Review old groups, inactive users and temporary access.</li>
350 <li>Identify pages with local XWiki rights objects.</li>
351 <li>Review page-level exceptions and inherited permissions.</li>
352 <li>Check whether rights are assigned to groups rather than individual users.</li>
353 <li>Review admin, script and programming rights separately.</li>
354 <li>Check authentication and group synchronization if LDAP, SSO, OIDC or SAML is used.</li>
355 <li>Document findings, owners, risks and recommended actions.</li>
356 <li>Schedule a periodic access-rights review.</li>
357 </ul>
358
359 <h2 id="access-review-faq">XWiki access-rights review FAQ</h2>
360
361 <details class="resource-faq-item" open>
362 <summary>Is listing pages with local rights enough for an access audit?</summary>
363 <p>
364 No. It is only a starting point. A complete review should also consider inherited permissions, group
365 membership, wiki-level rights, explicit allow or deny rules, sensitive rights and the business reason behind
366 each restricted area.
367 </p>
368 </details>
369
370 <details class="resource-faq-item">
371 <summary>Should XWiki rights be assigned directly to users?</summary>
372 <p>
373 In most cases, rights should be assigned through groups. Direct user rights can be useful in rare situations,
374 but they are harder to maintain and should be reviewed carefully.
375 </p>
376 </details>
377
378 <details class="resource-faq-item">
379 <summary>What is the most common access-rights problem in XWiki?</summary>
380 <p>
381 A common issue is the accumulation of undocumented exceptions: old groups, page-level rights, inherited
382 permissions and direct user rights that were correct at the time but are no longer clearly understood.
383 </p>
384 </details>
385
386 <details class="resource-faq-item">
387 <summary>Should access rights be reviewed before an XWiki upgrade?</summary>
388 <p>
389 Yes. Upgrades are a good moment to review permissions, especially for business-critical instances. The review
390 can reveal old groups, sensitive rights, custom scripts and restricted areas that should be validated during
391 the upgrade process.
392 </p>
393 </details>
394
395 <details class="resource-faq-item">
396 <summary>Does SSO replace an access-rights review?</summary>
397 <p>
398 No. SSO helps authenticate users, but XWiki authorization still depends on groups, rights, inheritance and
399 page-level exceptions. Authentication and access control should be reviewed together.
400 </p>
401 </details>
402
403 <div class="resource-note">
404 <p>
405 Related resources:
406 <a href="$xwiki.getURL('resources.xwiki-access-rights-governance')">why XWiki access rights need a clear governance model</a>,
407 <a href="$xwiki.getURL('resources.xwiki-security-review')">what an XWiki security review should actually include</a>
408 and
409 <a href="$xwiki.getURL('resources.why-upgrade-xwiki')">why regular XWiki upgrades matter</a>.
410 </p>
411 </div>
412
413 <div class="resource-cta">
414 <h3>Need help reviewing XWiki access rights?</h3>
415 <p>
416 If your XWiki instance has grown over time, uses many groups, contains restricted areas or depends on LDAP,
417 SSO, OIDC or SAML, an access-rights review can help identify unclear permissions and define a safer model.
418 </p>
419 <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request an access-rights review</a>
420 </div>
421
422 </article>
423 </div>
424 </div>
425 </section>
426
427 <script type="application/ld+json">
428 {
429 "@context": "https://schema.org",
430 "@type": "FAQPage",
431 "mainEntity": [
432 {
433 "@type": "Question",
434 "name": "Is listing pages with local rights enough for an access audit?",
435 "acceptedAnswer": {
436 "@type": "Answer",
437 "text": "No. It is only a starting point. A complete review should also consider inherited permissions, group membership, wiki-level rights, explicit allow or deny rules, sensitive rights and the business reason behind each restricted area."
438 }
439 },
440 {
441 "@type": "Question",
442 "name": "Should XWiki rights be assigned directly to users?",
443 "acceptedAnswer": {
444 "@type": "Answer",
445 "text": "In most cases, rights should be assigned through groups. Direct user rights can be useful in rare situations, but they are harder to maintain and should be reviewed carefully."
446 }
447 },
448 {
449 "@type": "Question",
450 "name": "What is the most common access-rights problem in XWiki?",
451 "acceptedAnswer": {
452 "@type": "Answer",
453 "text": "A common issue is the accumulation of undocumented exceptions: old groups, page-level rights, inherited permissions and direct user rights that were correct at the time but are no longer clearly understood."
454 }
455 },
456 {
457 "@type": "Question",
458 "name": "Should access rights be reviewed before an XWiki upgrade?",
459 "acceptedAnswer": {
460 "@type": "Answer",
461 "text": "Yes. Upgrades are a good moment to review permissions, especially for business-critical instances. The review can reveal old groups, sensitive rights, custom scripts and restricted areas that should be validated during the upgrade process."
462 }
463 },
464 {
465 "@type": "Question",
466 "name": "Does SSO replace an access-rights review?",
467 "acceptedAnswer": {
468 "@type": "Answer",
469 "text": "No. SSO helps authenticate users, but XWiki authorization still depends on groups, rights, inheritance and page-level exceptions. Authentication and access control should be reviewed together."
470 }
471 }
472 ]
473 }
474 </script>
475
476 {{/html}}
477 {{/velocity}}