How to set up Authenticated Read Only Access

Hi,

I work for a large company and we are using confluence to publish documentation for some of our internally developed systems.  We have limited user license that is much smaller than the number of employees in the company.  We've using groups within Active Directory to control access.  We're granting anonymous access to people can see the pages.  This all works fine - anonymous users can see the information and our team can author it.  However, here's the rub.  If an individual who is not in one of the blessed groups log in, they get a permission denied error and can no longer see any information.  I've been told by the Atlassian sales team that allowing Authenticated Read-only access does not consume a seat in the license, but I have been unable to figure out how to set this up in Confluence.  Does anybody know how to do this?

-Scott

Keysight Technnologies

 

7 answers

1 accepted

0 vote
Davin Studer Community Champion Nov 10, 2014

Anyone that has the "can use" permissions set up in global permissions will consume a license. So, if you are a member of a group that is set to "can use" or you are explicitly set up for "can use" then you will use a license ... which means even people set to read-only at the space level will use a license. After all licensing isn't a space level function it is a system level function.

image2014-11-10 13:28:5.png

Thanks David, your answer is correct.  Atlassian sales told me that a read-only user would not consume a seat, but it doesn't appear to be technically possible at this time.

I will simply comment on this to raise awareness.

It makes no sense to allow anonymous users read-only access but deny authenticated users that same access.

This is a security issue. At my company we are required to log every employee in to any web app due to Chinese hacking in the past. Now I read that anonymous users have more access than authenticated users in the system. I was lead to believe by the Confluence sales team that we could present read-only content to my entire company even though my developer base is small.

This is a contradiction and a problem for user communities. There's simply no way I will purchase 3000 seats when I have a developer base of 150. Outrageous.

I couldn't agree more. It's absurd that JIRA logged-in users can't access Confluence pages that are open to the public Internet via Anonymous permissions.

When you configure the space, only grant the Anonymous users to have read/view space page permissions (https://confluence.atlassian.com/display/AOD/Assigning+Space+Permissions) or you can do the same thing at a global level (https://confluence.atlassian.com/display/DOC/Setting+Up+Public+Access) for your instance.

I don't think that is quite what I'm looking for. Here is what I'm observing. I have a space that allows anonymous access. I'm authenticating users against the corporate Active Directory. If a user doesn't log in, they can see the page as an anonymous user. If they choose to use the login link at the top of the page, they can authenticate because they are in the Active Directory, but they are not in a group that can 'use' confluence. What that user now sees is a 'permission denied' error trying to view any pages in Confluence. This is not intuitive. Now, perhaps this is a bug in Confluence in that if an Anonymous user can do a thing an authenticated user should also be able to do it. This can make it difficult to enforce the user license iimit, so perhaps it's only use and read permissions that can be granted to all users if anonymous access is allowed. But that it the problem. I want to keep my user base from being able to lock themselves out.

The global configuration allows users to have initial access to the instance, but each space must also be configured to allow the Anonymous users to have specific permissions (e.g., View) in that space, as indicated by the instructions at https://confluence.atlassian.com/display/AOD/Assigning+Space+Permissions.  By default each space usually allows members of the confluence-users group to have the space permissions shown in the instructions link, and these space permission configurations can easily be modified by a space admin.  If the space admin wants to grant anonymous user to have space view, add pages, etc. permissions, then these permissions can be granted.
*Bottom Line*:  When an anonymous user accesses your instance, he/she will only be able to view, etc. the spaces where they are permitted.
I hope this clarification has been helpful.

Thanks Jeff,  either I'm being quite dense or not clear about the problem.  I am having no issues with anonymous access.  The issue is when a user has authenticated (i.e. is known to the system via the LDAP directory)  I want them to have read only access to a space but not to consume a license seat.  According to Confluence sales, a read only user should not consume a set; however, when I grant my all-employees group the 'use confluence' permission and read only access to my space, confluence denies any user from making changes because the number of users has exceeded the license.  So, I'm trying to figure out how to configure Confluence so that my authenticated read-only users don't consume a license seat. 

0 vote
Davin Studer Community Champion Jan 20, 2017

Here is a possible work around for you that I have seen another site do. They created an account that has read only access and did not tell the employee base the UN/PW of that account. Then they created another login form themselves that would authenticate them against their login system and if it was correct would then submit the secret UN/PW for Confluence to the Confluence login page. That way they would not have to tell the employees the secret account and have to worry about resetting the PW when people left, but they could still make it such that you had to log in. They are not logged into Confluence as themselves, but they still do have to authenticate their account before getting in.

Thanks David for putting this out. Can I clarify that I understood you correctly? Suppose I have an application with user database.

1. Create Confluence read-only account to be shared across all users

2. Authenticate my users against my application

3. In the background, supply secret credentials to confluence (which will make the user to be authenticated against confluence)

4. Now users can see confluence page through the read-only account?

Davin Studer Community Champion Oct 31, 2017

Yep, that's the gist of it.

Ok so what I understand is to create a login form on a web server and authenticate user but how will that form authenticate confluence in the background?

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Kesha Thillainayagam
Posted Apr 13, 2018 in Confluence

We want to hear how your non-technical teams are using Confluence!

Hi Community! Kesha (kay-sha) from the Confluence marketing team here! Can you share stories with us on how your non-technical (think Marketing, Sales, HR, legal, etc.) teams are using Confluen...

2,901 views 27 12
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you