Beware: 'confluence-users' group is now added as default when you create a new space

fonda
Contributor
February 7, 2024

I've raised this with Atlassian (and assume nothing will be done) but wanted to share this with the community in case it's useful --

We use Jira and Confluence as a digital agency, which means we don't just have internal company users - our clients use our instance too (and we just customise user or group settings so they can't see projects/spaces they're not meant to).

We just noticed a big change to Confluence permissions (not sure how new they are) - the 'confluence-users' group is added to new spaces, with full access by default (view, create and delete pages, etc). Traditionally, anyone who needs to access Confluence needs to be added to the 'confluence-users' group (that's our understanding anyway). Therefore, if Atlassian have now set it up so that all new Confluence spaces will include that group by default, everyone you've added to that 'confluence-users' group can view each others' spaces, even if they're not meant to! In other words, your entire Confluence user base as access to your Confluence spaces (unless you've specifically restricted a space or page - I've noticed that still works, thank goodness).

For us, that means clients were able to see new pages being published (unless we adjust the permissions for the 'confluence-users' group in each space).

Generally, yhis poses massive privacy issues as you can imagine. The only way to get around this issue for us was to (quickly) go through each space, remove that group's access wherever necessary, ie:

  1. Go to each Confluence space's 'Space settings'
  2. Find Space permissions > Groups
  3. Hit 'Edit' > Uncheck the 'View' box for 'confluence-users'
  4. Hit 'Save'
  5. The 'confluence-users' group should disappear (the rest of the access remains the same)

Note that this was possible to do quickly because:

  • We don't have hundreds of spaces
  • I have 'god' admin so I have all the permissions to do whatever is required
  • I set up our Jira and Confluence so I have all the understanding of groups, users, access, etc
  • We don't store absolutely everything (confidential or otherwise) in Confluence! It has been discussed we should, but after this issue, nope

I don't even want to think about the implications of having thousands of spaces and a massive user base.

We only discovered this problem because a team member had to create a new space yesterday and I hadn't gotten around to checking the Group permissions tab (not knowing this permissions section had changed), and a different client told us they could see this client's space and had received notifications about it.

Separately, I started receiving notifications about new pages being created in a client's Confluence instance (which again, we shouldn't have access to and had originally put down to user error!). Strange coincidence, but glad it happened because it allowed me to analyse what was going on in our instance and mitigate the risk as fast as possible on our end.

Even for an enterprise not using their instance with external people, this still poses issues, and the impact could be dire, especially for people who:

  • Don't know about this Confluence permission change
  • Don't have any understanding of how the 'confluence-users' group works or why it even exists
  • Don't have quick access to change Confluence settings (due to being in a large organisation or just not having the right level of access)
  • Have users who are lax with restricting access to pages with sensitive information

We can't possible be the only ones who experienced this?

 

 

2 comments

Comment

Log in or Sign up to comment
Juan Leon February 16, 2024

We have had a similar experience and faced similar choices.  Removing 'confluence-users' as a group from a space seems like a drastic step--but we aren't seeing an alternative.

I am concerned about unintended consequences--effects on apps in particular.  

Reviewing user groups from our Global Permissions page, we see dozens of apps included as members of 'confluence-users'.  So, I hesitate to remove that group from a space.

There must be a straightforward way to provide a user account access to Confluence and the site's core displays/functions without also granting access by default to every space on the site?

Any corrections, clarifications, or tips would be greatly appreciated!

 

 

 

Thiago P _Atlassian Support_
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 16, 2024

Hi fonda, how are you today?

This is Thiago with the Confluence Cloud Support Team, please allow me to chime in here.

You are correct to assume that a user needs to be part of the confluence-users group in order to be able to access Confluence. Your Site Admin may be able to change that group's name to something else, but there's always a default access group.

It seems like the confluence-users group was originally not part of all new Spaces on your instance - is that correct?

We suggest you to check the Default Space Permissions menu as we can define those for all new Spaces created.

In order to check that, just navigate to the following link:

  • https://<fonda>.atlassian.net/wiki/admin/permissions/viewdefaultspacepermissions.action

PS: you'll need to replace <fonda> with your Site name.

I'm not 100% sure, but I believe that We can confirm that a vanilla Confluence Cloud instance will allow all users access to new Spaces - in other words, the confluence-users group will be present by default and by design. Let me confirm on this and get back to you.

This happens as Confluence is meant to be an open and collaborative platform for Teams to share information. As we know not all contents are meant for everyone's eyes, the product allows for restricting access to specific users and groups.

We hope this information helps, feel free to add more comments if you have any further questions or concerns.

Like # people like this
julius schulze
Contributor
May 15, 2024

That worked for me, thanks a lot cause i already needed to edit around 70 areas to delete the confluence user group :D 

 

TAGS
AUG Leaders

Atlassian Community Events