Issue Summary

Currently, in Confluence Cloud (and similarly in Jira Cloud), when users mention others in pages, comments, or search for users in permission settings, the system displays all users in the Atlassian Cloud site — regardless of whether those users have access to the specific space or project.

This means that even if a user cannot view a given Confluence space, they may still appear in mention suggestions or user pickers, and their user profile (including email address or group/project affiliation) may be visible.

This behavior raises security and confidentiality concerns, especially in multi-tenant or cross-company collaborative environments.

Suggested features

Customers are requesting a configuration option (site-level or space-level) that limits the visibility of user mentions and user search results to only:

• Users who have at least view access to the same Confluence space (or Jira project), or
• Users who belong to the same access context as the current viewer.

This restriction should apply to:

• Mentions in page content and comments
• User pickers in permission settings
• Search fields where user lists appear

Expected outcome

For organizations operating in a shared Atlassian Cloud environment across multiple companies or departments, this feature would:

• Prevent accidental disclosure of user identity, email, or access structure
• Improve compliance with internal data segregation policies
• Enable adoption of Atlassian Cloud for customers with stricter security requirements

In the case of the requesting customer, this limitation has prevented a migration from Atlassian Server to Cloud for approximately 7,000 users. Addressing this limitation could unlock adoption at scale.