I work for a large company and we are using confluence to publish documentation for some of our internally developed systems. We have limited user license that is much smaller than the number of employees in the company. We've using groups within Active Directory to control access. We're granting anonymous access to people can see the pages. This all works fine - anonymous users can see the information and our team can author it. However, here's the rub. If an individual who is not in one of the blessed groups log in, they get a permission denied error and can no longer see any information. I've been told by the Atlassian sales team that allowing Authenticated Read-only access does not consume a seat in the license, but I have been unable to figure out how to set this up in Confluence. Does anybody know how to do this?
Anyone that has the "can use" permissions set up in global permissions will consume a license. So, if you are a member of a group that is set to "can use" or you are explicitly set up for "can use" then you will use a license ... which means even people set to read-only at the space level will use a license. After all licensing isn't a space level function it is a system level function.
I will simply comment on this to raise awareness.
It makes no sense to allow anonymous users read-only access but deny authenticated users that same access.
This is a security issue. At my company we are required to log every employee in to any web app due to Chinese hacking in the past. Now I read that anonymous users have more access than authenticated users in the system. I was lead to believe by the Confluence sales team that we could present read-only content to my entire company even though my developer base is small.
This is a contradiction and a problem for user communities. There's simply no way I will purchase 3000 seats when I have a developer base of 150. Outrageous.
Here is a possible work around for you that I have seen another site do. They created an account that has read only access and did not tell the employee base the UN/PW of that account. Then they created another login form themselves that would authenticate them against their login system and if it was correct would then submit the secret UN/PW for Confluence to the Confluence login page. That way they would not have to tell the employees the secret account and have to worry about resetting the PW when people left, but they could still make it such that you had to log in. They are not logged into Confluence as themselves, but they still do have to authenticate their account before getting in.
Thanks David for putting this out. Can I clarify that I understood you correctly? Suppose I have an application with user database.
1. Create Confluence read-only account to be shared across all users
2. Authenticate my users against my application
3. In the background, supply secret credentials to confluence (which will make the user to be authenticated against confluence)
4. Now users can see confluence page through the read-only account?
I wanted to see if there was an answer to the question above. I'm also in a situation where we only have 20 or so people that need edit access to confluence, but probably around 30 more that will need view access from time to time.
If there is an answer, it would be a huge help.
Also, I know Confluence/atlassian has been making a lot of changes lately - is there a way to raise this as a priority to them to make it easier?
When you configure the space, only grant the Anonymous users to have read/view space page permissions (https://confluence.atlassian.com/display/AOD/Assigning+Space+Permissions) or you can do the same thing at a global level (https://confluence.atlassian.com/display/DOC/Setting+Up+Public+Access) for your instance.
I don't think that is quite what I'm looking for. Here is what I'm observing. I have a space that allows anonymous access. I'm authenticating users against the corporate Active Directory. If a user doesn't log in, they can see the page as an anonymous user. If they choose to use the login link at the top of the page, they can authenticate because they are in the Active Directory, but they are not in a group that can 'use' confluence. What that user now sees is a 'permission denied' error trying to view any pages in Confluence. This is not intuitive. Now, perhaps this is a bug in Confluence in that if an Anonymous user can do a thing an authenticated user should also be able to do it. This can make it difficult to enforce the user license iimit, so perhaps it's only use and read permissions that can be granted to all users if anonymous access is allowed. But that it the problem. I want to keep my user base from being able to lock themselves out.
Thanks Jeff, either I'm being quite dense or not clear about the problem. I am having no issues with anonymous access. The issue is when a user has authenticated (i.e. is known to the system via the LDAP directory) I want them to have read only access to a space but not to consume a license seat. According to Confluence sales, a read only user should not consume a set; however, when I grant my all-employees group the 'use confluence' permission and read only access to my space, confluence denies any user from making changes because the number of users has exceeded the license. So, I'm trying to figure out how to configure Confluence so that my authenticated read-only users don't consume a license seat.
Two vulnerabilities have been published for Confluence Server and Data Center recently: March 20, 2019 CVE-2019-3395 / CVE-2019-3396 April 17, 2019 CVE-2019-3398 The goal of this article is...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs