we would like to use XWiki in our company and I’m looking for advice on how to configure permissions correctly.
Our goal is to allow non-admin users to create pages and content, but only inside specific spaces / subwikis. At the same time, we want to prevent them from accessing the global menus, such as:
User Directory
Document Index / Document Tree
Applications
and the applications listed under that menu
In other words, regular users should only see and work inside their allowed spaces, and they should not have access to the global navigation items that expose the whole wiki.
What is the recommended way to restrict access to these menus and directories?
Should we use rights on the XWiki.XWikiUsers, Main.WebHome, and XWiki.ApplicationsPanel pages, or is there a cleaner approach (e.g., hiding panels, changing the UI, or adjusting wiki-level rights)?
Any guidance or best practices would be appreciated. Thank you!
There have to be some basic view rights to have a “working” wiki. We set those rights to a group called MinimalReadGroup and all users are member of this group.
In admin/XWiki/XWikiPreferences?editor=globaladmin§ion=panels.navigation we have some root spaces hidden like:
XWiki
Menu
Sandbox
Main
Macros
JobMacro
RTFrontend
But it’s just styling. Every user knowing the path can put it in the browsers adress bar. We see no problem seeing the hole document tree (except some very special spaces we exclusivly allow to view to a dedicated group.) The user directory isn’t our problem either as we have a kind of “phonebook” in the intranet anyways.
For your use case, the simplest approach is to place users with restricted permissions into groups that do not have any global rights assigned (Administration → Rights). You can then explicitly grant the necessary permissions (view, edit, comment, etc.) only to the groups that should have global access, such as XWiki.XWikiAdmin or any other admin-level groups.
After that, assign the specific rights needed in the spaces that should remain accessible to those restricted users. Everything else in the wiki will remain inaccessible to them as long as they lack global rights and do not have explicit permissions on other spaces.