So it took more than two years to close a security issue. Somewhat frightening.

Hey everyone, this should not be happening for either XML or CSV space imports from cloud to cloud.

For space imports from server to cloud, we need to create the user in the userbase if they do not have an Atlassian account. They do not get product access however.

This shouldn't be enabled by default. In testing a migration of content between sites it just sent out 50 invites to users that shouldn't have access to this test instance. 

I'll add my voice to the chorus of disapproval here. A recent Confluence space import in our instance resulted in 80 or so unauthorised users being automatically created in our directory and invited to our instance. These users then even showed up in our user pickers for Jira tickets! I'd have thought this is a pretty major security issue and as such a high priority fix.

Edit: in addition to the security issues this thread rightly points out possible legal issues with GDPR, as the imported users contain email addresses and profile pictures. Please fix!

This is soooo bad. Can't believe something like this isn't still fixed. 

I understand the intention of this change, but do strongly agree that a prompt to select wether user creation is desired or not must be mandatory. Even without security implications, now that users are added with site access only, but without product access, the confusion caused across user picker fields is disastrous.

Best regards, David

THIS IS NOT A NEW FEATURE, IT IS A TERRIBLE BUG.

We took over a project from another provider, received a dump of a space that we had to import in our confluence, contrary to what the documentation says, several users of the previous company had been created in our system, with the possibly having an invitation to join the space.

This is a terrible security breach, with possible legal consequences, as it may provide access to a space to user that should never have been invited.

You have to correct this behaviour ASAP.

We echo concern and displeasure that users with activity in an exported space are invited to the destination site after import.

We recently experienced this behavior and it was both surprising and troubling. Especially since our understanding of Atlassian's documentation is that this will not happen. https://support.atlassian.com/confluence-cloud/docs/import-a-confluence-cloud-space/#ImportaConfluenceCloudspacetoanexistingcloudsite-Notesaboutthespaceimport

Many of the imported users were not authorized to access the destination site. The fact that they were implicitly "invited" as part of the space import and could access content without any further review by an admin at the destination site is not good. Furthermore, we then had to go through the effort to suspend/delete the invalid users to ensure they could not access the destination site. We were lucky that the imported space had only a few dozen users–had there been hundreds or more it would have been a major administrative task.

This issue is really annoying, while migrating the documentation on cloud thousand of users have been created, in particular de-activated users in Confluence Server, people that resigned or left the company years ago... this is really bad... And all of them are re-created again every time a new project migrated on cloud. 

Since this weekend, users are not only added, they also receive invitations upon import. This is highly unwanted behavior. Please roll this back.