Content permissions REST API

daria · August 1, 2025, 11:40am

Hi,

Can someone explain the principle behind com.atlassian.confluence.api.model.permissions.OperationKeys in the context of content permissions in the official Confluence REST API?
Reference: Confluence REST API – Content Restrictions

The updateRestrictions method gives the impression that it sets restrictions on a page. When I use it and set “read” as the value for the operation key (among many possible values), both view and edit restrictions appear on the page. However, I can’t manage to apply a simple view restriction via REST in the same way as I can in the UI.

When restrictions are applied through the web UI, the com.atlassian.confluence.pages.actions.SetPagePermissionsAction class is triggered. This class uses com.atlassian.confluence.security.ContentPermission, and not OperationKeys. Are these two different permission models?

Also, why does OperationKeys include many other operations like move, copy, purge, etc., which are not configurable through the UI?

Most importantly:
How can I apply a simple view restriction for a user on a page using the REST API?

Thanks in advance,
Daria

daria · August 1, 2025, 12:40pm

I will give myself an answer:

ContentPermission is the internal permission model used throughout the Confluence UI and backend. It directly maps to user/group permissions like view and edit on content (pages, blog posts).
OperationKeys is part of the newer REST API model, and allows for fine-grained permission control using a broader set of operations — many of which aren’t exposed in the UI (e.g. move, copy, purge).
The UI is not reflecting the “read” restriction (seems to be bug) that is set over REST, but only after you set it in the UI