Apply Confluence access restrictions

Confluence integrations support synchronising both content and its original access restrictions. This ensures that users querying the knowledge base only receive information that they are authorised to view in Confluence.

This feature is available for both Confluence Server and Confluence Cloud.

Important

Access restrictions apply only to API requests (retrieval and response generation). In the UI, any user can access any source.

Enable and configure

To enable access restriction synchronisation, create the integration only via the API. This setting is unavailable in the web interface.

In the POST /integrations request body, specify the following parameters:

• enableAccessRightsSync: true,
• token: Confluence administrator’s token. Administrator rights are required to fetch user group information.

Example: Create an integration

{
  "name": "Confluence with access rights",
  "settings": {
    "type": "confluence",
    "baseUrl": "https://confluence.your-company.com",
    "token": "admin-token",
    "space": "MAIN",
    "enableAccessRightsSync": true
  }
}

danger

If you edit and save the integration in the web interface after creating it via the API, the enableAccessRightsSync parameter will automatically reset to false, disabling access restrictions synchronisation.

How it works

When synchronising, Tovie Data Agent converts Confluence access restrictions into internal access groups:

• If access is granted to a user group, the source is assigned the attribute group-<groupName>.
• If access is granted to an individual user, the source is assigned the attribute user-<userId>.

Attachments and child pages automatically inherit the restrictions of their parent page. The data is refreshed at each synchronisation.

Querying with access restrictions

To include Confluence restrictions in your request, include an accessSettings object with user data. This parameter is supported by all requests that retrieve chunks or generate responses:

• POST /retrieve
• POST /query
• POST /async/query
• POST /chat/{chatId}/retrieve
• POST /chat/{chatId}/query
• POST /async/chat/{chatId}/query

Tovie Data Agent will provide data from the Confluence documents available to the specified user, along with public sources.

Request example:

curl \
--header 'Authorization: Bearer <your_API_key>' \
--header 'Content-Type: application/json' \
--data '{
    "query": "vacation policy",
    "accessSettings": {
        "integrationId": 12345,
        "externalUserId": "ff10100bcde200ab"
    }
}' \
https://data-agent.tovie.ai/api/knowledge-hub/query

The response will be based on the following sources:

1. Confluence pages that the user can personally access (the user-ff10100bcde200ab access group).
2. Confluence pages accessible to any group the user belongs to (e.g. group-department_hr).
3. Public knowledge base sources (not assigned to any access group).

info

The request can include both Confluence user data and a list of access groups in the accessControlAttributes parameter. In this case, the user will also gain access to sources assigned to the specified access groups, in addition to those allowed via Confluence. For more details, see the Access groups article.

A full list of endpoints and parameters is available in the API specification.