Using Secrets with page permissions for granular control
Security and Encryption can securely store sensitive information in its Secret macros. But in certain cases. you may not want to reveal the presence of Secrets.
For example, your company may running a sensitive project where you do not want the project's team members to know who else is also working on the project (this may be for security or operational purposes). At the same time, there are shared resources which every team member needs to access.
In such a case, the mere presence of a Secret, or the title of the Secret alone could reveal information, such as the user's name. For example, "John's credentials".
Let's look at this scenario in more detail.
Your company has started a sensitive project called "Project Nebula" and it has five team members - John, Elaine, Daiyu, Omar and Pradeep. You need to create one landing page which contains all the credentials for the project. Security and Encryption would be the obvious choice for storing credentials, but there are additional considerations:
John and Elaine are working solo so they do not need to know about the presence of anyone else on the project. Daiyu, Omar and Pradeep are part of a sub-task team within the project, so it is OK for them to see each others' names.
Everyone on this team also needs to access shared resources, which in this example is "Multimedia Server".
By using Secrets and Confluence's Children Display macro, along with Confluence's page restrictions, you can create a landing page which selectively reveals limited information, depending on which user or group is viewing it:
Admin's view (creator) | Sub-task team's view |
|---|---|
Admin's view | Sub-task team's view |
 |  |
John's view | Elaine's view |
|---|---|
 |  |
Ingredients
Apps | Security and Encryption for Confluence Cloud |
|---|---|
Macros | Secret |
Guide
Prerequisites
A Confluence Cloud plan which supports page restrictions (Standard plan or better).
Note that the Confluence Cloud Free plan does not support page restrictions.You must be a Confluence administrator.
Add the users Daiyu, Omar and Pradeep to a group for easier configuration. For this example, we'll add them to the group "nebula-task-team".
Create a project landing page for all the credentials and provide a suitable title. In the project landing page, under the "Shared Resources" section, insert a Secret to store the Multimedia Server credentials.
In the Insert Secret Macro popup, enter a Title and a Secret. Click on the Access tab, and add the users and user groups who can access the Secret. For this example, we're adding John, Elaine, and the nebula-task-team group because everyone needs to access this Secret.
Click Insert to continue.Below the Shared resources section, add a Credentials section and a Children Display macro. We're using this macro because it will only display links to pages which a user has permission to view.
Save the project landing page. Within the landing page hierarchy, create credentials pages for each team member.
Create and publish the credentials for each user by inserting a Secret macro into each page. Remember to add the appropriate user under the Access tab.
Now use Confluence page restrictions to limit access to the pages. Click on the padlock icon to set them.
The project landing page should viewable by all five team members. In this example, the restrictions are set to Only specific people can view or edit, and Elaine, John and the nebula-task-team group have been granted Can view access. Click Apply to continue.
Members of the sub-task team should be able to view each other's pages. So for Daiyu, Omar and Pradeep's pages, we'll allow the group "nebula-task-team" to view. Click Apply to continue.
John and Elaine's pages should only be viewable by them alone. Click Apply to continue.
NOTE
The Confluence Cloud Free plan does not support page restrictions.
With the page restrictions set, each user will only see the information that is required to do their jobs, as shown in the example screenshots at the top of the page.
Notes
Not applicable.
Result
Not applicable.