Skip to end of metadata
Go to start of metadata

Can I use Space Privacy in any number of Confluence instances?

A App's license can only be used in a Confluence instance. You can though, create as many extranet spaces as you'd like. In order to use Space Privacy in other Confluence instances, another license is needed. The required size orients itself to the Confluence instance.

Why are users visible, although they should not be visible?

The most likely cause is a misconfiguration or a third party app, that adds custom views to Confluence which are not supported by our app.

Please check the following steps to figure out if your configuration causes the unwanted visibility of users:

  1. Are the affected users assigned to an extranet space? The global setting Who can see and find users that are not assigned to an extranet space? has the option All users and only extranet users are restricted to search and view other extranet users.
  2. Is it possible to see other users in the confluence people directory (path: /browsepeople.action) and open their profiles? In this case the user has a configured permission the see the other user .
  3. Are the users assigned to the same extranet space? Users who shared the same extranet spaces, can collaborate and are allowed to search with each other. Please consider that users also can be assigned using confluence groups .
  4. Is the user, who can see "too many" users, a confluence administrator or has the admin role "Extranet Manager" or "Extranet User Manager" in one of your extranet spaces? In this case, the user must be allowed to see all other users to be able to manage the extranet space. Only assign admin roles to users, that are permitted to see all other users.

If non of the steps solve your problem, it is either a not supported feature of a third party App or a problem in your app. In both cases, please send us an report to our App support:  https://seibert.biz/Apphelp

I would like only users, that work in the same extranet spaces, to be able to see each other. Internal and external users cannot be differentiated by the system.

 

This situation often occurs in pure extranet instances.

Only global administrators, space administrators and extranet user administrators have access to all users, so that assigning them to extranet spaces is possible. Until a user is assigned, they won’t be able to see any other users in the system.

This is especially useful, if adding external users is a process that’s independent from Confluence - in enterprises, employees often have to ask IT to add external users. Before one of those external users is added to an extranet space, they should not have access to other users and vice versa, which is why the previously mentioned option should be picked in the App configuration.

 

 

I want to run intranet and extranet in the same instance and make sure, external users can only see employees, that they work with. At the same time the employees themselves should be able to continue working without restriction of visibilities.

 

  1. Adjust the App configuration, so that only global administrators, space administrators and extranet user administrators can access all user data.

  2. Create a dummy extranet space.

  3. Assign the groups to this extranet space, that represent the internal users, your employees (e.g. “all-employees”, “internal-user”, …). Often, these users are from the tethered LDAP (directory service), for example active directory (Microsoft). Space Privacy updates the composition of groups here as well, so that users, that are removed from an assigned group, also lose the access to the corresponding extranet space.

    As a result, all internal users still see each other and can use confluence as usual.

  4. If you also want your employees to work with external users, add the relevant users or groups to the respective extranet spaces.

    Only users that share one (or more) extranet spaces with external users, can be seen by them. This also applies to other external users (often locally managed) and internal employees of your company.

There already is a user story for a solution, that does not require an extranet dummy, in our backlog. However, the implementation is not yet planned. Please contact us, if you are interested in a sponsored development.

 

 

 

Is it possible to add users to more than one extranet space?

Yes. You can assign users to an unlimited amount of extranet spaces. This does not change the security strength of any user data.

If user 1 got assigned to extranet spaces A and B, they can view all user data and whoever else is included in the space.

Can I build up an extranet in my Confluence intranet with Space Privacy?

Yes. Normally you can characterize the application case of an extranet inside your intranet. If you wanted to work with outside users in extranet spaces within your instance, you might want to re-think your individualized infrastructure unfortunately. You can work outside company grounds, if you have installed the company's VPN. Depending on the degree of use and requirements, we recommend setting up a well-running Confluence system for your extranet.

Am I able to set up individualized permissions for each user?

There are 5 different permission roles that you can assign to every single group or user. In our experience, these assigned roles cover many relevant entitlement arrangements for extranets.
If the initial roles do not fit your needs, you can customize it in the global App administration under the tab user roles.
Just click on "edit" for the role you want customize and set the hooks you like.

(warning) Caution: Changes in permission apply to all available extranet spaces - including spaces that already exist.

What rights can I assign to an extranet user?

Like in the question before.
There are 5 different permission roles that you can assign to every single group or user. In our experience, these assigned roles cover many relevant entitlement arrangements for extranets.
If the initial roles do not fit your needs, you can customize it in the global App administration under the tab user roles.
Just click on "edit" for the role you want customize and set the hooks you like.

(warning) Caution: Changes in permission apply to all available extranet spaces - including spaces that already exist.

Can an Extranet space be managed by a Confluence or Space Admin?

No, there are 3 types of extranet administration that Space Privacy grants:

  • The extranet administrator can manage both domain users, as well as the domains themselves.
  • The administrator can manage the space, but cannot add or remove users.
  • The extranet user administrator can manage users in the space, but not the space itself.

Our users are not locally managed in Confluence, but rather in a central setting in an LDAP – can Space Privacy still be used? 

Yes, the App also reaches LDAP users as long as it was configured in Confluence Administration.

However, it is absolutely necessary for local groups to be allowed, as space privacy creates groups for every extranet space. Users, that are assigned to the corresponding extranet space, are added to these groups.


We manage content permissions through the permissions for the confluence spaces in predefined groups. Consequently, content permissions remain unchanged even after the App is deactivated. Contrary to single permissions these predefined groups make sure that the extranet user administrator doesn’t have to be the space admin as well. In Confluence, only space admins can assign new permissions. With the admin role extranet user administrator we have created the possibility to give users, that aren’t or are not allowed to be space admins, administrative rights over the user administration of extranet spaces.

If a user is added to a extranet space, they won’t show up as a single person in the permission. Instead they are part of the group(s) that were created for this space by space privacy, e.g. extranet-SPACEKEY-consumer.


If the App can’t use these extranet groups, the following error occurs:


This also applies, if the user administration isn’t done in Confluence, but in JIRA (or others) instead. You will find the option to allow local groups here as well.

If you have any questions about this, don’t hesitate to ask us. We would love to help you!

Using JIRA servers or Atlassian Crowd as a user directory

There’s no option “Read Only, with Local Groups” for JIRA Servers or Atlassian crowd. In this case the configuration consists of 2 steps.

Confluence

Firstly the option “Read/Write” has to be set for the user directory (JIRA server or Atlassian Crowd). Secondly the option “Read Only, with Local Groups” has to be configured in the tethered user directory.

Crowd

Allow local groups

Add group permissions (add, modify and remove)


Which features are being secured by Space Privacy?

 Our App aims to secure every standard Confluence UI and interface, that were not added by third-party-Apps. Some third-party-Apps are being supported, if they use standard interfaces (e.g. for user search). In any other cases we kindly ask you to inform us about problems with third-party-Apps, so that we can evaluate possible solutions. (https://seibert.biz/Apphelp)

 Space Privacy not only secures content via Confluence permissions. It also makes sure, that only users who share at least on extranet space, can see each other on the system. For content permissions the App uses and manages Confluence Space permissions. You don’t have to assign your own permissions in extranet spaces, this would even be counterproductive, because it skips the extranet user administration.

The restriction of the visibility of users is only made possible by mechanisms of our App. Thus, deactivating the App makes all users visible again. Assigned content permissions on the other hand remain the same.

The following points should help to understand our security concept.

  • Visibility of extranet users is bidirectional except for administrative roles (confluence administrator, extranet administrator, extranet user administrator). If user Alice can see user Bob, user Bob can see user Alice. The administrator Charlie can see Alice and Bob, even though they might not share an extranet space.
  • Visibilities are different for global features (user profile, search, user directory) and space features (@-mention, share page).
  • In global features (user profile, search, user directory) a extranet user can see every user, whom he shares an extranet space with. Alice is assigned to extranet spaces A and C, Bob to B and C. That’s why they find each other using search, or look at each others profiles.
  • In space features (@-mention, share page) a user can only interact with extranet users, that are also assigned to this extranet space. Alice is assigned to extranet spaces A and C, Bob to B and C. They can both mention each other in extranet space C via @-mention and share pages, but not in extranet space A and B.

You can find more information regarding global and space features in sections "What are global features and which of them are secured?" and "What are space features and which of them are secured?".

What are global features and which of them are secured?

Global features are UIs or technical interfaces, that are not restricted to a single space. The Space Privacy App makes sure, that in this case only users are being shown, that share at least on extranet space with me. Users in an administrative role (Confluence administrator, extranet administrator or extranet user administrators) always see every user of the system, as this is necessary to exercise their roles.

At the moment, the following features and interfaces are secured:

  • User profiles
  • Global search
  • Search bar (Quicksearch)
  • People directory -/browsepeople.action
  • User search in search filters (contributor, creator, network/contacts)
  • Macros: Livesearch, User List, User Profile, Content by User
  • Personal spaces (this should be solved by content permissions, but in case of a faulty configuration we intervene)
  • Activity Stream / ”Recently Updated” / “All Updates”

What are space features and which of them are secured?

Space features are features, that can only be used in spaces.

The Space Privacy App makes sure, that in this case, only users that are assigned to the same extranet space are shown. This is meant to prevent accidental interaction with users, that don’t have access to this extranet space. Regarding space features, even users in administrative roles (confluence administration, extranet administrator or extranet user administrator) can not interact with users, that are not assigned to this extranet space.

Currently the following space features are being secured:

  • Mentioning users (@-mention)
  • Sharing pages

Which Apps does Space Privacy support?

(warning) Apps, that access user data or labels, are relevant in this case - for example Apps that are able to integrate their own peoples directory or users being able to be mentioned.

What do i have to keep in mind regarding export and import with space privacy?

Ex- and import for systems, that uses Space Privacy, is generally possible. Nevertheless there’s a few points you should keep in mind:

  • For export and import, the same version of the App should always be used, otherwise there might be problems regarding upgrade-tasks
  • For this, use the global export feature
  • Do not export extranet data

Which version of Confluence is Space Privacy compatible with?

Confluence Server 5.9.1 - 6.2

How do I submit an issue?

Before you submit an issue with the space, please try to solve the issue with the following steps:

  1. Reload the page
  2. Deactivate and activate the App (this is no magic, we actually run some heath checks when the App is activated)
  3. Only if you see the message: "Indexing User...": Rebuild the confluence search index (Confluence Administration > Content Indexing)

If none of the steps fixes the problem, please submit an issue (https://seibert.biz/Apphelp) and add application logs to help us analysing the cause of the problem:

  1. Set the log level for the key net.seibertmedia.extranet to DEBUG. Use the logging administration (Confluence Administration > Logging and Profiling) to add net.seibertmedia-extranet as new logging key.
  2. Repeat the steps that caused the error to generate meaningful logs
  3. Copy the application logs, if your have access, or generate a Support-ZIP (Confluence Administration > Support Tools / Atlassian Documentation)
  4. Submit an issue here and attach the application logs: https://seibert.biz/Apphelp 

I would like to know that the external user cannot see each other.
But at the same time, it should be possible to have access to my company's employees without the need to assign them to extranet spaces.

Or external users can access all internal users and vice versa. External users don’t see each other, except when they work together in an extranet space.

 

 

For situations like these, there is a checkbox in the global administration interface in the extranet! Pick the options “all users”.

This means that users who do not have a shared extranet space are unable to see one another. But, users who are not assigned to an extranet space are seen as "internal" and are able to communicate with external groups, with no need to be assigned to an extranet space.

(warning) Please keep in mind, that the corresponding “internal” user or groups need access to the spaces via permission.

 

 

 

 

 

  • No labels