@Brant Schroeder Thanks for answer,

1-definately different type of data exist on Internal one (confidential and non-confidential).

2-only available on your internal network.

3-LDAP

what is your suggestion for this situation?

@me Do you allow external clients to access your internal network?

nope

@me if the Confluence instance is only accessible internally and you currently do not provide access I would recommend looking at setting up a different instance that can be accessed by external users.  This would provide additional cost and would create logistical issues.

How other company like atlassian mange this situation?

They tend to allow people into their Confluence, with accounts permissioned for read-only access, or have a separate public Confluence as @Brant Schroeder suggests.

@Nic Brough -Adaptavist- i mentioned these things on my post, i need more about side effects and some real world examples.

any idea?

I think you already understand the "side effects" - people either get to see things or they do not.

I'm not sure what you want from "real world examples".  You can imagine that I've worked with a lot of Confluence (and other information systems) and seen many different needs for sharing, but the solution has always been "give people the access they need, in the systems containing the data they need to work with".  

Start with security - what limitations do your security team have with visibility?    Are they happy to let your external users see your internal systems (in general) and over a VPN or some other access control?  Are they ok with you opening up parts of a Confluence (as you can control access by space)?

Then you'll need to look at what you can do within their limits.  But, given "some people can see some stuff in our Confluence", you need to decide whether "the world can see it" is acceptable, and if it is not, then "give people the access they need, in the systems containing the data they need to work with"

@Nic Brough -Adaptavist- as you know couple of days ago log4j hit many companies, if some of these companies publish even restricted access to their instance probably can hit by attackers. Now question are these these companies accept this risk? Or simply separate internal from external? or sync internal or external in some way to reduce risk?

FYI: I’m talking about on-premise not cloud.

I don't understand what that has to do with the question of whether you want to let people use your Confluence or not.

(The nature of the log4j attack means you can only be attacked by a Confluence user that you have given certain permissions to, so it's an irrelevance to this conversation)

@Nic Brough -Adaptavist- definitely normal user should able access to their own data. But when something like log4j occurred attacker able to get direct access to server shell bypass any waf or firewall, and run different command with root user.

@Andy Gladstone Thanks for answer,

is it logical to do that? How other company like atlassian mange this situation?

as I mention we have different type of data on Internal one (confidential and non-confidential).

Any idea?