Why am I a part of this confluence?

Dear Nic

I see several security flaws in this. First of, I do not know the owners (admin). I have no way to track him/ her down. Second of, by allowing random people to join your Confluence is a big security risk. As an example, the Chinesse DCoin Confluence which I was a part of showed a lot of confidential informations like their GitHub and GitLab account, their keys, usernames and password to their websites and Bitcoins and so on.

I think it would be best, if Atlassian tried to fix this and label it as a bug instead of asking it's members to "ask the owners (admins) of the Confluence's to remove you".

Furthermore, if you have any other suggestions on how to remove myself and even more important, how to make sure that other random people will not join my confluence, than I will be happy to hear.

There's no security flaws here.

Your admins are in control of who has access, it is their job to do that.  How is that a security flaw?

Dear Nic

Let me try and tell you how me having automatically access to multiple different Confluences the second I created this account, without me even having to contact any admins for an invite is a security flaw.

The day I created this account I was automatically embedded into different Confluences without the Admins knowledge nor my own. That is a security flaw in itself. Some of the Confluences I am randomly a part of posts confidential information, please refer back to my previous message

Second thing. I have no contact with any of the admins, nor do they have any contact with me. I can not see who the admin is nor do I have any contact information with any of them. You simply stating "ask the owners (admins) of the Confluence's to remove you" is simply not possible, nor do I want to go through all of my Confluences to manually locate an admin, if I even can, to remove myself. It should be a standard thing to not randomly make your customers a part of random Confluences.

Third thing. For my own sake (and my employees) I sincerely hope that random outsiders can not join my Confluence without any explicit invitation, which I have little faith in considering what I am just experiencing. Since there exist no function to manually leave Confluences and since it is that easy to gain access to other Confluences which can store confidential information. Please, look at the attached screenshot "Capture.PNG" to see why I call this a "security flaw".

Can you now see the security flaw, Nic? Can you see, how I, as an outsider, have access to a random Confluences and now have their password, usernames etc. for different platforms? If you can not see the security risk in this, than I have little faith in your product. Please review this post and all the information I have provided. Have a great day Nic.

No, there's no security flaw - your admins have chosen to let you have access.

I don't understand why you think this is a security flaw - someone has actively chosen to grant you access to something that they think they want you to have access.  The only security risk is when they've chosen the wrong person to let in.

Nic, I will try to formulate myself one more time since it seems we keep going in circles. The email I used to create my Atlassian account I have JUST CREATED, and about 30 mins later I decided to create an Atlassian account and try out Confluence as a service and immediately I am a part of multiple Confluences. I have talked with my own IT department, we all agree this is one big security mess. No one have gotten my email address or any other information to be able to invite me to their Confluences. No Admins have chosen to actively let me in. This smells more like an internal error in Atlassian (Confluence) that perhaps everyone with a special domain in their email is automatically linked together. Please take this issue up with your own support department and let me know if this perhaps could be the case.

I can not help with a problem if I do not know what it is.

Why do you think the people in charge of a system being able to grant your account access to their system is a security issue?  Or even a problem?

My support people (both internally and with customers) only see this as a problem with administration teams not fully understanding who should be added into systems. 

As an example, my employer (The Adaptavist Group) automatically grants read access to hundreds of systems to all new employees.  We have a very open structure and problems talking across the siloes that have evolved as we grow.  We have  mostly moved from a small number of large monolithic systems to a large number of small specialised systems, but we add everyone to most of our systems simply because we don't have the time or energy to micro-manage who gets access to things, and we want to make it easier to share without having to muck about with access rights.  

We do have a number of systems with sensitive data of course,  but the administrators of those all know to check whether a new person should have access and at what level.

If you don't need further access to a system, then it's simple - you won't ask for it.

There is one thing in your comment that I have to pull up on - "No Admins have chosen to actively let me in".  That is wrong.  An admin has chosen to let you in.  But there are (broadly) three ways to do it, and it probably hinges on the "actively" word in there.

• Your Admins can add individuals to a system.  I think this is probably what you mean by "actively"
• Your admins can add groups to a system (A group meaning a dynamic list of accounts that may not necessarily be maintained in that system).  Your admins have "actively" chosen to include the list, but they may have little, or no, knowledge of who is on that list.
• An admin can enable global access, which does not require login.  You're not "added to the system", but you can see and use it without logging in.

Given all of that, I'm still stuck on what you think the problem is. 

Someone has given you some access to a system.  If you don't want it, ignore it, don't log into the system.  If you think there is a security problem, talk to the admins who granted the access that they should not have.