I've raised this with Atlassian (and assume nothing will be done) but wanted to share this with the community in case it's useful --
We use Jira and Confluence as a digital agency, which means we don't just have internal company users - our clients use our instance too (and we just customise user or group settings so they can't see projects/spaces they're not meant to).
We just noticed a big change to Confluence permissions (not sure how new they are) - the 'confluence-users' group is added to new spaces, with full access by default (view, create and delete pages, etc). Traditionally, anyone who needs to access Confluence needs to be added to the 'confluence-users' group (that's our understanding anyway). Therefore, if Atlassian have now set it up so that all new Confluence spaces will include that group by default, everyone you've added to that 'confluence-users' group can view each others' spaces, even if they're not meant to! In other words, your entire Confluence user base as access to your Confluence spaces (unless you've specifically restricted a space or page - I've noticed that still works, thank goodness).
For us, that means clients were able to see new pages being published (unless we adjust the permissions for the 'confluence-users' group in each space).
Generally, yhis poses massive privacy issues as you can imagine. The only way to get around this issue for us was to (quickly) go through each space, remove that group's access wherever necessary, ie:
Note that this was possible to do quickly because:
I don't even want to think about the implications of having thousands of spaces and a massive user base.
We only discovered this problem because a team member had to create a new space yesterday and I hadn't gotten around to checking the Group permissions tab (not knowing this permissions section had changed), and a different client told us they could see this client's space and had received notifications about it.
Separately, I started receiving notifications about new pages being created in a client's Confluence instance (which again, we shouldn't have access to and had originally put down to user error!). Strange coincidence, but glad it happened because it allowed me to analyse what was going on in our instance and mitigate the risk as fast as possible on our end.
Even for an enterprise not using their instance with external people, this still poses issues, and the impact could be dire, especially for people who:
We can't possible be the only ones who experienced this?
Hi fonda, how are you today?
This is Thiago with the Confluence Cloud Support Team, please allow me to chime in here.
You are correct to assume that a user needs to be part of the confluence-users group in order to be able to access Confluence. Your Site Admin may be able to change that group's name to something else, but there's always a default access group.
It seems like the confluence-users group was originally not part of all new Spaces on your instance - is that correct?
We suggest you to check the Default Space Permissions menu as we can define those for all new Spaces created.
In order to check that, just navigate to the following link:
PS: you'll need to replace <fonda> with your Site name.
I'm not 100% sure, but I believe that We can confirm that a vanilla Confluence Cloud instance will allow all users access to new Spaces - in other words, the confluence-users group will be present by default and by design. Let me confirm on this and get back to you.
This happens as Confluence is meant to be an open and collaborative platform for Teams to share information. As we know not all contents are meant for everyone's eyes, the product allows for restricting access to specific users and groups.
We hope this information helps, feel free to add more comments if you have any further questions or concerns.
That worked for me, thanks a lot cause i already needed to edit around 70 areas to delete the confluence user group :D