Status: Closed (View Workflow)
Confluence 2.5.4 massive, Java 1.5, Linux
NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.
When you remove a user in Confluence 2.5.4 massive, it states:
"Removing a user will remove all permission restrictions associated with him/her. Content that is only restricted to this user will become available to all confluence users. Are you sure you want to delete this user?"
The thing that scares me about this is "Content that is only restricted to this user will become available to all confluence users." One of the main reasons we bought Confluence was because certain documentation should be limited to one or more individuals.
If someone on our support team removes a user and by doing so opens up content that the user owned to everyone out there, this could expose sensitive information and cause huge headaches.
A suggested alternative to this (which would work for bulk user deletes also) would be to show a table (could be paged) of the following when an administrator tries to remove one or more users and those users have content that only they have permissions to:
Table column headings:
Userid - Page (or Object that users has sole permissions to) - Reassign to Group/User
Reassign to Group/User cells under heading would contain a dropdown with values: "User" and "Group" and then an empty text field with a "lookup" button next to it.
Then you could also have two links next to Reassign... for each row called "reassign all for user" (that will fill in the reassign field for all content solely owned by that user, and something at the top called "reassign all" (or similar) that lets you just bulk reassign everything (regardless of user who owns it) to a single user/group.
I know that sounds like a lot, but I think that is one way to do it more safely. You might also state something like "You should encourage your users to always have more than one person assigned to private content to avoid this page."
- relates to
CONFCLOUD-9142 Suggest user removal method that is more secure than "Content that is only restricted to this user will become available to all confluence users"
CONFSERVER-2593 List user's content when warning that user cannot be removed
- Gathering Interest