We have given certain people outside our organization access to certain parts of our internal jira and confluence. However, we have discovered that it is not working the way we thought it should. For example, they can go into a page they are allowed to access in Confluence, click in the search bar, search for something and get results back that take them to a jira item that they are NOT assigned security for and should NOT be allowed to see. Why are search results shown to them that fall outside of this security? Can we disable the search bar? Are we not implementing something correctly that is allowing this loophole to exist? At this point we are looking at revoking all access to our atlassian sites to protect proprietary data which is not ideal.
@Nikki Dean I am guessing that the way you granted access to Jira for those people outside of your organization is the reason they can gain access to the Jira issues you do not want them to see.
It would be helpful to have you explain how you granted the Confluence and Jira permissons to analyze the issue.
That is, of course, a logical question that I wish I could easily answer. Unfortunately it was set up long before my time here. Here's the little I know: we gave an outside company an internal email address to use as a login, we'll say external1@internalco.com. They log onto for example atlassian.internalco.com with that email as their login and we've assigned permissions that say you, external1 user, are part of this External1 group. The External1 group can see only these jira issues and only these Confluence pages. When we log in using that username to test it, everything looks as we anticipate but we're also not trying to game the system. They have other plans, I guess. When they click in the Confluence search bar, they can search for a key word like "blue" and the results show here are the items in Confluence that contain the word "blue" (some of which they have security to view and some of which they don't) and here are the items in jira that contain the word "blue" (again, some of which they should be able to see and some of which they shouldn't). They can click on those items they shouldn't be able to see and jira opens to one of those "blue" items and they can navigate around and see whatever they want. If that jira issue is linked to another they can click it and keep going, no questions asked.
Maybe I should ask this to turn the question on its head: is there a guide for how to best implement something like this? Maybe we should just rethink it from the top. I think the high level requirements are that we have certain groups of people that we would like to see certain groups of Confluence pages. On those certain Confluence pages we would like to display certain jira filters. We would like for them to be able to click on those jira issues and see the specifics in jira. We don't want them to see other Confluence pages or other jira issues.
Does that help at all? Sorry for not knowing more. I will try to find out more details.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Nikki Dean I've been on vacation and didn't see your post until now.
This is going to get very complicated very quickly. My suspicion is that your permissions for all of your projects and your Confluence spaces are very open so to speak. Do you have a site/org admin?
I think you'll need to talk to that person(s) to have them help you with this. You'll need to have separate permissions in both Confluence and Jira that limit viewing of spaces, pages and issues to only the information they need to see.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.