-
Suggestion
-
Resolution: Unresolved
-
None
-
50
-
183
-
NOTE: This suggestion is for Confluence Data Center. Using Confluence Cloud? See the corresponding suggestion.
Hi everyone,
This is Charlie from the Confluence team. Thank you for your interest in this suggestion.
After reviewing this ticket and weighing it up against our other opportunities, we have decided to transition it to 'Gathering interest' as we don't have plans to work on this in the near term.
Please continue to vote and watch this suggestion if it is important to your team, as we regularly review highly ranked tickets as potential roadmap items.
To learn more about our recent investments in Confluence Data Center, please check our public roadmap and our dashboards containing recently resolved issues, and current work and future plans.
Kind regards,
Confluence Data Center
Requirement:
Depending on group membership users may (or may not) see users in their own or in other groups in the People Directory.
Scenario example:
- Internal people should be able to see all users (from their department and/or project group) as well as all customers that they are responsible for / ideally grouped per company/department/...
- External users (customers) from company XYZ should be able to see (some) internal users (i.e. those responsible for their project), in addition all users from their own organization (members in the group XYZ) and possibly some users from another company that is utilizing the same product.
Above could be solved by smart grouping of people, provided that the access to the People Directory is "better" configurable.
Note: The "Shared Mode" setting in the General Configuration does not solve the issue - this is an all-or-nothing approach, it would be highly desirable to have a fine-grained controlled access to the People Directory in one of the future Confluence releases.
- is duplicated by
-
- Closed
-
- Closed
-
- Closed
-
- Closed
-
- Closed
-
- Gathering Interest
- is incorporated by
-
- Gathering Interest
- is related to
-
- Closed
-
- Gathering Interest
-
CEO-1235 Loading...
- relates to
-
- Closed
-
- Closed
-
- Gathering Interest
-
- Gathering Interest
- links to
- mentioned in
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
[CONFSERVER-7837] People Directory and "controlled" privacy / configure access to People Directory depending on Group membership
The aforementioned workarounds won't prevent a logged in user from seeing every other user by searching for * (with type: user) /dosearchsite.action?cql=siteSearch+~""+and+type%3D+"user"&queryString=
Please at least provide a way to disable searching for users completely if fine-grained controls cannot be implemented quickly
the "people who can view" feature can allow anonymous users browse all the user list, regardless of the "-Dconfluence.disable.peopledirectory.all=true" option that we have set. This seems pretty serious to me.
This is quite serious indeed!
Since Atlassian can't be bothered, here are the workarounds I've found (so far...):
1) Deny locations in webserver config (e.g. Apache reverse proxy in front of Confluence):
<Location "/plugins/gatekeeper-plugin/who-can-view/"> Require all denied </Location> <Location "/browsepeople.action"> Require all denied </Location>
2) In Confluence admin: Manage apps -> Confluence Mentions Plugin -> Disable
The "People who can view" can probably also be disabled by disabling some modules of the "gatekeeper-plugin". Please share if you find better workarounds!
Are we also aware that the "people who can view" feature can allow anonymous users browse all the user list, regardless of the "-Dconfluence.disable.peopledirectory.all=true" option that we have set. This seems pretty serious to me.
Hi all
It is a legal problem if unrelated third parties can access your personal information (and vice versa) just because you chose to interact with a software company which is using Confluence for their documentation (and Jira for task management).
Disabling the people directory is not a viable cure, as it reduces the value of Confluence notably.
Confluence and Jira should allow to restrict the people directory content to users allowed to access a certain space or project. A bit more sophisticated would be a configuration of the people directory content available to certain user groups - a filter per user group or something along these lines.
I know, that doesn't make Confluence incredibly quick, but it would be a lot easier to work with law-abiding companies from the medical, fintech and hightech sectors if that functionality would be available. We really need to be able to control what personal information is available to whom.
Continued failure to provide such a feature makes Confluence and Jira non-GDPR compliant, so speed is essential here.
Yours truly
Peter
We are surprised this functionality doesn't exist as part of the core security functionality. This should be basic that we don't allow our clients from one project to see the names of the clients from another project. It feels awful to have to tell our clients that we can't hide their information from others and it leaves them questioning how much of their data can others see. Of course others can't see their project space, but this puts that concern square in front of them.
I did see in the chain above that there is an add-on for this functionality. Which I was super excited about until I looked at the pricing. Obviously, lots of people want this functionality and will apparently pay for it? It's really too bad that this is the highest-price app I've seen and it addresses basic functionality that should be part of the tool set.
At some point, after 13 years, I would hope (expect) this to be included as base functionality.
Stuart,
I have to revise my opinion and tell you that I wholeheartedly agree with you. Ultimately, there is no legitimation for this kind of behaviour.
Thanks for taking the time and expressing your opinion. I come to realize that it resonates better with my standpoint. Profanity is failing composure.
Have a great week!
All the best,
Alex
Hi Alex,
Not defending Atlassian's approach to these feature requests / issues, in any way, shape, or form. Don't suggest I am because I am not I can assure you.
However, I disagree that Atlassian is 'at least' as unprofessional as Kaspar. Is Atlassian 'unprofessional' in the way they have handled these issues? Yes, incredibly and it should and probably has cost them a small amount business.
But in 'at least' (i.e. read as 'the same or worse') than Kaspar? Ultimately not.
"is not a sign for failing composure of an individual but much more the condensed frustrations of 13 years". Yes frustrations understandable, but this is incorrect: Kaspar's outburst was a textbook definition of failing composure, and I don't think there's any other way of looking at it. This person displayed an example of not maintaining composure - entirely evident by the fact they (or someone) deleted the comments after the fact. No-one should behave this way in a professional environment - no-one.
Wholeheartedly agree with you here though: "We all want this resolved; And Atlassian willingly ignores their customers. That's what's up."
I left the exact same sentiment on a survey they recently sent me. What got me the most was they only just sent a bulletin on new features in Confluence titled "You asked, we listened". You can see where I may have went with this on my responses... 
Hi everyone,
This is Charlie from the Confluence team. Thank you for your interest in this suggestion.
After reviewing this ticket and weighing it up against our other opportunities, we have decided to transition it to 'Gathering interest' as we don't have plans to work on this in the near term.
Please continue to vote and watch this suggestion if it is important to your team, as we regularly review highly ranked tickets as potential roadmap items.
To learn more about our recent investments in Confluence Data Center, please check our public roadmap and our dashboards containing recently resolved issues, and current work and future plans.
Kind regards,
Confluence Data Center