Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

How can I avoid pages being shared with an external user?

I do NOT want to grant access to anyone outside of our organization.  Our instance of confluence is meant to be for internal access only.

On "Site access", I have selected "Anyone with one of the following email address domains can join:" and provided our company email domain.

I thought this would be good enough.  However, if I share a page with a user on a different email domain, i.e. gmail.com.  They receive an email that allows them to create an account and gain access to our site.  This is NOT good.

FYI, I also have NOT enabled the following options:

- Users can invite others

- Allow anybody to share a link to Confluence

1 answer

1 accepted

0 votes
Answer accepted

@Werner Anders ,

Based on the information you provided, the external user would be able to Request an account, but unless that request was approved, they would not have access to your site.. You would need to ensure that your administrators are clear about your access policy/requirements.

Darryl

Thanks for your reply.  In my test, it did not play out that way.  The external user received an email sharing a link to a page.  They clicked on that link and were navigated through setting up their account.  Once they completed the account set up they were navigated to the site and had access.  No administrator had to get involved. 

Interesting. I just recreated this scenario myself. This concerns me a great deal.

My system settings are even more restrictive than yours, in that they're set to Invitation Only. Unless it has to do with my being an administrator and sharing the page, this seems like a security hole as it's not expected behavior. I'm going to try sharing again with a non-administrator account.

And that seems to be the answer.

When the non-administrator user Shared a page, it sent the request to the Administrator instead of directly to the person being shared with.

As long as your administrator users are trusted and informed, you should be alright with this.

Darryl

Like Dara likes this

Thanks Darryl!  I've confirmed the same on my end.  It would be better if we could prevent users from sharing content with external users at all.  In other words, don't even allow them to enter an email address that is outside of the organization's email domain. 

This behaviour will work for now, but I would like to follow up with Atlassian to see if there is another setting that can prevent these requests in the first place.

Like Alison Huang likes this

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Jira Service Management

Security Advisory for Jira Service Management

On October 20, 2021, Atlassian published a security advisory for Jira Service Management. The full advisory is available at this link.  We've seen a number of questions already asking for...

70 views 0 1
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you