I do NOT want to grant access to anyone outside of our organization. Our instance of confluence is meant to be for internal access only.
On "Site access", I have selected "Anyone with one of the following email address domains can join:" and provided our company email domain.
I thought this would be good enough. However, if I share a page with a user on a different email domain, i.e. gmail.com. They receive an email that allows them to create an account and gain access to our site. This is NOT good.
FYI, I also have NOT enabled the following options:
- Users can invite others
- Allow anybody to share a link to Confluence
Based on the information you provided, the external user would be able to Request an account, but unless that request was approved, they would not have access to your site.. You would need to ensure that your administrators are clear about your access policy/requirements.
Thanks for your reply. In my test, it did not play out that way. The external user received an email sharing a link to a page. They clicked on that link and were navigated through setting up their account. Once they completed the account set up they were navigated to the site and had access. No administrator had to get involved.
Interesting. I just recreated this scenario myself. This concerns me a great deal.
My system settings are even more restrictive than yours, in that they're set to Invitation Only. Unless it has to do with my being an administrator and sharing the page, this seems like a security hole as it's not expected behavior. I'm going to try sharing again with a non-administrator account.
And that seems to be the answer.
When the non-administrator user Shared a page, it sent the request to the Administrator instead of directly to the person being shared with.
As long as your administrator users are trusted and informed, you should be alright with this.
Thanks Darryl! I've confirmed the same on my end. It would be better if we could prevent users from sharing content with external users at all. In other words, don't even allow them to enter an email address that is outside of the organization's email domain.
This behaviour will work for now, but I would like to follow up with Atlassian to see if there is another setting that can prevent these requests in the first place.