Uploaded image for project: 'Confluence Server'
  1. Confluence Server
  2. CONFSERVER-9142

Suggest user removal method that is more secure than "Content that is only restricted to this user will become available to all confluence users"

    XMLWordPrintable

    Details

    • Feedback Policy:
      We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Description

      NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.

      When you remove a user in Confluence 2.5.4 massive, it states:
      "Removing a user will remove all permission restrictions associated with him/her. Content that is only restricted to this user will become available to all confluence users. Are you sure you want to delete this user?"

      The thing that scares me about this is "Content that is only restricted to this user will become available to all confluence users." One of the main reasons we bought Confluence was because certain documentation should be limited to one or more individuals.

      If someone on our support team removes a user and by doing so opens up content that the user owned to everyone out there, this could expose sensitive information and cause huge headaches.

      A suggested alternative to this (which would work for bulk user deletes also) would be to show a table (could be paged) of the following when an administrator tries to remove one or more users and those users have content that only they have permissions to:

      Table column headings:
      Userid - Page (or Object that users has sole permissions to) - Reassign to Group/User

      Reassign to Group/User cells under heading would contain a dropdown with values: "User" and "Group" and then an empty text field with a "lookup" button next to it.

      Then you could also have two links next to Reassign... for each row called "reassign all for user" (that will fill in the reassign field for all content solely owned by that user, and something at the top called "reassign all" (or similar) that lets you just bulk reassign everything (regardless of user who owns it) to a single user/group.

      I know that sounds like a lot, but I think that is one way to do it more safely. You might also state something like "You should encourage your users to always have more than one person assigned to private content to avoid this page."

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                2 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Last commented:
                  5 years, 27 weeks, 4 days ago