Access Rights

This page aims at explaining how access rights work in XWiki. It will help you configure access rights on your wiki so that every user can only see and do what he should be allowed to.

An overview of rights

Here is a lists of all the rights available in XWiki and their default setting.

• Right name: brief description of the right
  • Availability: where you can set this right
    • Page: this right can be set at the page level
    • Space: this right can be set at the space level
    • Wiki: this right can be set at the wiki level
  • Default status: whether the right is allowed or denied when the checkbox is left blank
    • ALLOWED: this means that users CAN perform the given action if no other right is set
    • DENIED: this means that users CANNOT perform the given action if no other right is set
  • Priority order: which setting wins over another
• View: whether users can see the page
  • Availability: this right is available at the page, space and wiki level
  • Default status: ALLOWED
  • Priority order: deny > allow > no setting
• Comment: whether users can add a comment to the page
  • Availability: this right is available at the page, space and wiki level
  • Default status: ALLOWED
  • Priority order: deny > allow > no setting
• Edit: whether users can edit and save modifications to the page
  • Availability: this right is available at the page, space and wiki level
  • Default status: ALLOWED
  • Priority order: deny > allow > no setting
• Delete: whether users can delete the page
  • Availability: this right is available at the page, space and wiki level
  • Default status: DENIED (unless you're the document creator)
  • Priority order: deny > allow > no setting
• Admin: whether users can manage administration settings for the space / wiki
  • Availability: this right is available at the space and wiki level
  • Default status: ALLOWED
  • Priority order: allow > deny > no setting
• Register: whether users can create new user accounts
  • Availability: this right is available at the wiki level
  • Default status: ALLOWED
  • Priority order: allow > deny > no setting
• Program: whether users can use protected APIs & Groovy code in wiki pages
  • Availability: this right is available at the wiki level
  • Default status: DENIED
  • Priority order: allow > deny > no setting

Access Rights execution order

In XWiki, the check for access rights follows this path:

First, the wiki tries to find out to which groups the current user belongs to.

Let's say Mike belongs to the following groups: Sales, Marketing and Management.

Mike tries to view a page.

XWiki will:

• Check for admin rights at the wiki level
  • Mike and/or one of his groups has an Allow right -> Mike has admin rights on the page
  • Mike and/or one of his groups have a Deny right -> Mike doesn't have admin rights on the page
  • Mike and/or the Sales group have a Deny right but the Management group has an Allow right -> Mike has admin rights on the page (Allow wins over Deny for Admin)
  • No right set for Mike or his groups and no Admin right set for any other user or group -> Mike has admin rights on the page
  • No right set for Mike or his groups and other users or groups have admin rights allowed -> Mike doesn't have admin rights on the page
• * Check if Mike or one of the groups he belongs to has admin rights on the space
• XWiki Enterprise
• Admin rights on space? if no,
• Admin rights on wiki? if no,
• View / Comment / Edit / Delete rights on page? if no,
• View / Comment / Edit / Delete rights on space? if no,
• View / Comment / Edit / Delete / Register / Programming rights on wiki? if no,
• The wiki can be accessed and managed by anyone
• XWiki Enterprise Manager
• Admin rights on space? if no,
• Admin rights on wiki? if no,
• Admin rights on wiki farm? if no,
• View / Comment / Edit / Delete rights on page? if no,
• View / Comment / Edit / Delete rights on space? if no,
• View / Comment / Edit / Delete / Register rights on wiki? if no,
• View / Comment / Edit / Delete / Register / Programming rights on wiki farm? if no,
• The wiki farm can be accessed and managed by anyone