You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
I work for a large company and we are using confluence to publish documentation for some of our internally developed systems. We have limited user license that is much smaller than the number of employees in the company. We've using groups within Active Directory to control access. We're granting anonymous access to people can see the pages. This all works fine - anonymous users can see the information and our team can author it. However, here's the rub. If an individual who is not in one of the blessed groups log in, they get a permission denied error and can no longer see any information. I've been told by the Atlassian sales team that allowing Authenticated Read-only access does not consume a seat in the license, but I have been unable to figure out how to set this up in Confluence. Does anybody know how to do this?
Anyone that has the "can use" permissions set up in global permissions will consume a license. So, if you are a member of a group that is set to "can use" or you are explicitly set up for "can use" then you will use a license ... which means even people set to read-only at the space level will use a license. After all licensing isn't a space level function it is a system level function.
I will simply comment on this to raise awareness.
It makes no sense to allow anonymous users read-only access but deny authenticated users that same access.
This is a security issue. At my company we are required to log every employee in to any web app due to Chinese hacking in the past. Now I read that anonymous users have more access than authenticated users in the system. I was lead to believe by the Confluence sales team that we could present read-only content to my entire company even though my developer base is small.
This is a contradiction and a problem for user communities. There's simply no way I will purchase 3000 seats when I have a developer base of 150. Outrageous.
The only reason that Atlassian could use is money, logically it makes no sense at all, when will they offer this feature as I have implemented Atlassian am many companies and more than half have dropped the product because of this one issue.
Not all individuals in an organization need to use the functionality they just need access to view the information. Which according to Atlassian is better to share anonymously to the whole world rather than keep it secure for you company JUST BLOODY MENTAL!!!
Thanks David, your answer is correct. Atlassian sales told me that a read-only user would not consume a seat, but it doesn't appear to be technically possible at this time.
I agree this solution is inadequate. We have a developer base of 10 and a user base of over 1000. I struggled to get the licence for 10 seats across the line, there is no way I will get 1000 and there is an even slimmer chance I will open our processes to the internet.
Biggest gripe with my favorite tool in 2019.
Here is a possible work around for you that I have seen another site do. They created an account that has read only access and did not tell the employee base the UN/PW of that account. Then they created another login form themselves that would authenticate them against their login system and if it was correct would then submit the secret UN/PW for Confluence to the Confluence login page. That way they would not have to tell the employees the secret account and have to worry about resetting the PW when people left, but they could still make it such that you had to log in. They are not logged into Confluence as themselves, but they still do have to authenticate their account before getting in.
Thanks David for putting this out. Can I clarify that I understood you correctly? Suppose I have an application with user database.
1. Create Confluence read-only account to be shared across all users
2. Authenticate my users against my application
3. In the background, supply secret credentials to confluence (which will make the user to be authenticated against confluence)
4. Now users can see confluence page through the read-only account?
I wanted to see if there was an answer to the question above. I'm also in a situation where we only have 20 or so people that need edit access to confluence, but probably around 30 more that will need view access from time to time.
If there is an answer, it would be a huge help.
Also, I know Confluence/atlassian has been making a lot of changes lately - is there a way to raise this as a priority to them to make it easier?
@kyle If you are ok with the viewers being anonymous then you could enable anonymous access for the space (which will allow anyone to see it) and then get just enough licenses for your editors. Anonymous access does not use a license.
Thanks Jeff, either I'm being quite dense or not clear about the problem. I am having no issues with anonymous access. The issue is when a user has authenticated (i.e. is known to the system via the LDAP directory) I want them to have read only access to a space but not to consume a license seat. According to Confluence sales, a read only user should not consume a set; however, when I grant my all-employees group the 'use confluence' permission and read only access to my space, confluence denies any user from making changes because the number of users has exceeded the license. So, I'm trying to figure out how to configure Confluence so that my authenticated read-only users don't consume a license seat.
i have JIRA SD linked to confluence, so i have linked spaces with JIRA projects and i have given read only access to specific groups.
those users can view the articles from JIRA dashboard/customer portal without consuming license.
i have enabled anonymous access but i'm controlling the users from JIRA uses management ( i used Atlassian Crowd for users directory configuration in Confluence)
so, those users cannot login directly to confluence but they can use JIRA or Confluence mobile to read articles.
When you configure the space, only grant the Anonymous users to have read/view space page permissions (https://confluence.atlassian.com/display/AOD/Assigning+Space+Permissions) or you can do the same thing at a global level (https://confluence.atlassian.com/display/DOC/Setting+Up+Public+Access) for your instance.
I don't think that is quite what I'm looking for. Here is what I'm observing. I have a space that allows anonymous access. I'm authenticating users against the corporate Active Directory. If a user doesn't log in, they can see the page as an anonymous user. If they choose to use the login link at the top of the page, they can authenticate because they are in the Active Directory, but they are not in a group that can 'use' confluence. What that user now sees is a 'permission denied' error trying to view any pages in Confluence. This is not intuitive. Now, perhaps this is a bug in Confluence in that if an Anonymous user can do a thing an authenticated user should also be able to do it. This can make it difficult to enforce the user license iimit, so perhaps it's only use and read permissions that can be granted to all users if anonymous access is allowed. But that it the problem. I want to keep my user base from being able to lock themselves out.