Uploaded image for project: 'Confluence Cloud'
  1. Confluence Cloud
  2. CONFCLOUD-9142

Suggest user removal method that is more secure than "Content that is only restricted to this user will become available to all confluence users"


    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion.

      When you remove a user in Confluence 2.5.4 massive, it states:
      "Removing a user will remove all permission restrictions associated with him/her. Content that is only restricted to this user will become available to all confluence users. Are you sure you want to delete this user?"

      The thing that scares me about this is "Content that is only restricted to this user will become available to all confluence users." One of the main reasons we bought Confluence was because certain documentation should be limited to one or more individuals.

      If someone on our support team removes a user and by doing so opens up content that the user owned to everyone out there, this could expose sensitive information and cause huge headaches.

      A suggested alternative to this (which would work for bulk user deletes also) would be to show a table (could be paged) of the following when an administrator tries to remove one or more users and those users have content that only they have permissions to:

      Table column headings:
      Userid - Page (or Object that users has sole permissions to) - Reassign to Group/User

      Reassign to Group/User cells under heading would contain a dropdown with values: "User" and "Group" and then an empty text field with a "lookup" button next to it.

      Then you could also have two links next to Reassign... for each row called "reassign all for user" (that will fill in the reassign field for all content solely owned by that user, and something at the top called "reassign all" (or similar) that lets you just bulk reassign everything (regardless of user who owns it) to a single user/group.

      I know that sounds like a lot, but I think that is one way to do it more safely. You might also state something like "You should encourage your users to always have more than one person assigned to private content to avoid this page."

            Unassigned Unassigned
            6e54f9dce0da Gary Weaver
            2 Vote for this issue
            3 Start watching this issue