Allow Confluence Space Admins to recover permissions to Secure Macro

The Owner of a Secure Macro may have forgotten to add a user, left the company, or just not be responding to requests for access. Ideally a Space Admin would be able to step in to recover access so that they could grant other access. 

We could add a new screen in the Space Admin level to list the Macro, page the macro is on, Users, and Groups and a button to "Recover Access". This would add the requester to the macro's "Users" and allow them to add further users. This action should be logged in the Macro's audit logs.   

  • Jesse Miller
  • Dec 18 2015
  • Shipped
  • Jun 7, 2016

    Admin response

    We have recently delivered a partial of this feature - by making it easier for Confluence administrators and System administrators to recover access. They are now able to authenticate against any Secure Macro. There's also a helpful hint presented to them when visiting any Secure Macro.

    We did not pursue with allowing space admins to recover because:

    1. It opens up higher risk if a space admin account is compromised, as opposed to Confluence admins (we already know Confluence administrators can login as a normal user and therefore decrypt as the user).

    2. Instead of implementing the rest of the features now, we want to learn if this would solve 80% of the problem.

    Story: https://tools.servicerocket.com/browse/SECENC-698

  • Attach files
  • Matt Doar commented
    December 18, 2015 22:14

    This use case seems that it will be a fairly common case for all users of this macro. 

     

    Jesse also had the idea that the whole add-on could be default enabled to allow space admins to recover access to secure macro data, but that this could be disabled if a user wanted to be able to add secure information to Confluence that not even Confluence admins could view.

  • Matt Doar commented
    December 18, 2015 21:58

    Or we could have a button on the macro itself only shown to Space Admins that says "Recover Access". 

    The button would add that space admin to the Users input for just that macro, and record the change in the audit log. The space admin user would then be able to add other users and groups to the macro