Setting up restrictions for users who you don't want to see 95% of the rest of the platform

Hi. We are running Confluence 3.5.7 on our internal server. Only internal staff currently have access to this. However, a number of our teams need an external organisation to be able to see some (not all) of their work. However, it is important that this external organisation doesn't see anywhere else on the site, including the homepage. I wondered if you had any advice on the best way to approach this issue of letting in a group of users who shouldn't see about 90% of the site, but need to see certain pages. I am clear on how restrictions work on Confluence, but am curious as to how to approach this with the smallest amount of administrative headache possible.

Has anyone else approached this problem and are happy with their solution? Security is the most vital part of this, but it is also a must that the external organisation be able to see the pages that they need to see. Ideally, we would avoid the solution of having a separate space just for this external organisation, but instead give them access within each space to the pages they need to see. This, though, is where the administratiove headache comes in, with inherited restrictions, page-by-page management of restrictions etc.

Any advice?

Thanks,

Tim

1 answer

This widget could not be displayed.

Page by page will be a headache for sure. When you say external users, do these also need to NOT see each others contributions?

At AppFusions we make heavy use of the permission system but we do lean on spaces to make it easier. Basically you want it set up so that a default new user (say only in confluence-users group) will NOT see anything. Then it makes it a lot harder to accidently do it wrong and open it up when you don't want to

Then you would use separate groups to control access to the spaces.

You could do it with one space but that space would need to be visible to all at the top level and restricted down at each page. (Remembering page hierarchies and permissions will take affect)

Also, have also done a plugin that auto adds permissions to pages on create which can be useful if you think people will forget to set permissions etc..

Hi Colin, thanks for your reply.

Yes, you are right that these external users need to not see each others' contributions. So this external organisation - let's call it EO - has a number of staff, all who work on different private projects in our organisation. They are software testers, essentially, so some work on Project A, others work on Project B, Project C, and so on; but those testing Product A shouldn't see the work that those working on Project B and Project C see.

I am currently testing in our pre-prod, and have three user groups for internal staff - confluence-administration (global), confluence-space (space admin), and confluence-users (default). I have created another group - confluence-external. To this group I have set their global permissions as Can See. Because each space within the Confluence instance has already got space permissions set up for all three internal groups, but not for the confluence-external group, this means that they currently cannot see anything. I think this is essentially what you mean when you say set up a default new group that can't see anything (correct me if I'm wrong).

To provide them with some semblance of access, I am trying various approaches - which is where my question comes in. My first scenario has been to create a single space to which I have granted them View (only) permissions in the Security area of Space Admin for that space. So they can now access this space. Within which I have created child pages from the home page of the space (a home/root page which they can all view), and on these child pages I have set page level view restrictions (which inherit) for each project. Again, seems to tally with what you suggest in second last paragraph.

So that is one way. And the other thing I wanted to try is to allow them access within existing project spaces, but only to certain pages. That, if I get you, is more of a headache, because I will need to set page level restrictions, and remember hierachies etc.?

Thanks, Tim

And I would be very intersted in the plugin you mention you have created. Could you send me a link, to make sure I get the right one?

Much appreciated,

Tim

Email me (check my profile) and I'll send it to you. It isn't out yet as it was just a little util plugin that was built. Possibly we'll publish it on pac at some stage

Hi Colin. Your profile doesn't reveal an e-mail address for you, unfortunately. I sent you an invite via LinkedIn, and thought I could message you that way if we can connect.

Thanks,

Tim

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted yesterday in Confluence

Why start from scratch? Introducing four new templates for Confluence Cloud

Hi my Community friends!  For those who don't know me, I'm a product marketer on the Confluence Cloud team - nice to meet you! For those of you who do, you know that I've been all up in your Co...

155 views 2 4
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you