In order to have a safe, traceable and manageable Quality Management System in Confluence we need to first take care of our user management. Controlled actions performed by the right people is the cornerstone of developing a safe product.
Let’s first review a few definitions, we will then describe the goal of Quality Management System control and finally we’ll look at how this control could be achieved in Confluence.
Understanding how Confluence users can be guided and/or restricted we need to know a few basic terms:
- User – A Confluence user is a person who can read or update a Confluence site.
- Usergroup – A set of people who have similar interests, goals, or concerns.
- Page – page is an online document that can store text, tables, pictures, etc. Pages can be created and updated as needed.
- Space – A collection of pages in Confluence.
- Permission – the action of officially allowing someone to do a particular thing e.g. permission to edit Confluence page allows user to change content.
A controlled Quality Management System is such where a few users can change the QMS documents and the rest of the users can use the already approved documents. For example, we have a Quality Manager and other employees in the Quality Department who own the QMS documents (update the QMS templates, approve and publish new versions). In addition to that, we have a whole set of users who are actively using the approved QMS templates and SOP-s. In other words, we have two distinct groups of users with different responsibilities and user needs – in the context of Confluence permissions we have two separate groups with different set of permissions. The Quality team must have permission to work with the content and everyone else just views and uses it. We will describe how to set these permissions without implementing fully automated document workflows but by using Confluence’s own features and setting your in-house processes for approving drafts, publishing content, etc.
To achieve this, we need to agree that in most cases the QMS document changes are updates are not just made one-time by one person only. Typically, there are several draft versions, reviewed by different people, until the final agreed version of this document is ready to be published. In Confluence this means hiding the work-in-progress versions (drafts) from others in the company. Since every minor update of a page creates a new version of that page, it is wise to keep work-in-progress pages in a separate space. Once the Quality team is ready to publish the work-in-progress page, they can “push” the new version to be seen as a draft to everyone in the company.
Following the steps described above, we now have two different interest groups and two different spaces in Confluence – we must now define and review the permissions, so that the right people have all the necessary permissions. Let’s start by naming the usergroups and spaces we work with before going into the space settings to define permissions.
First, in Confluence user management we need to create 2 usergroups. Let’s call them:
- Quality team,
- Product team.
First usergroup, “Quality team”, should consist only of people who have the right to work with the QMS documents. Second usergroup, “Product team”, consists of all the employees who should have access to the approved QMS documents.
In Confluence we should now also have two spaces: ”QMS WIP” (work in progress) and “Approved QMS”.
Each space in Confluence has a separate set of permissions. Just open Space tools -> Permissions and you will see a page where you can define permissions for user groups, individuals and for anonymous access. We now need to define correct permissions for our usergroups and remove everything else that can potentially be a threat to our security.
“QMS WIP” space should have these following permissions:
In the screenshot above we can see that only the Confluence administrators can administer this space i.e. nobody else can change permissions so we can be sure that this configuration is managed by the most Confluence-savvy people in our company. They also have the “View All” permission. This means that they have access to the Space (read-only access) and thereby can access the Space administration.
The Quality team can’t change permissions, but can work with all of the content. They can do everything besides administration of the space i.e. they can create, edit, delete new documents, comments, posts, etc. Note that nobody else has been given any permissions to this space.
In this space, the Quality team can keep the content that they are working with. They can gradually change documents and when something is ready, they can review and copy the page to the other Confluence space we have called: “QMS” (Approved).
QMS Approved space permissions should be set as follows:
The difference with the QMS WIP space is that now the usergroup “Product team” also has read-only access to the documents. Quality team can still create and update those documents, but the Product team can see all of the content. The content in this QMS space doesn’t have as many page versions as in the QMS WIP space. When a new template or SOP is consensually agreed upon by the Quality team, then someone from that team will copy the page to the QMS Approved space.
Taking control of your QMS documents is not complex at all. Note that there are some other permissions that can provide additional value to the Product team – like “Pages Add” permission. If you choose to use that, they can start using Copy page feature as well. This would allow everyone in the Product team to select correct templates and copy them into their own Confluence spaces. The potential downside of this is that they can then also change the content, i.e. the content isn’t protected anymore. The workaround for that would be to keep the QMS space as read-only and copy the content of templates to Global Confluence Templates space that can be used by all to create/clone the content.
Another feature of Confluence that can help fine-tune permissions are page restrictions. We will describe these in greater detail in our next blog post. You can also read more about this from here.