Confluence permissions best practices to secure your Spaces

Michael Osakwe
April 24, 2020
Confluence permissions best practices to secure your SpacesConfluence permissions best practices to secure your Spaces
Michael Osakwe
April 24, 2020
On this page

The Atlassian suite provides a ton of versatility through its services. Given the variety of business use cases that products like Jira Software and Confluence can serve, for many organizations, some of their most confidential data may live within their Confluence spaces. Fortunately, there are Confluence permissions best practices that can ensure your organization’s Confluence spaces remain secure without data leakage.

How secure is Confluence?

When it comes to cloud security, ensuring the security of your cloud applications and infrastructure is a responsibility shared by both you and your service provider. This is why we pointed out in our cloud security best practices post that asking if the cloud is secure is the wrong question for organizations to focus on. This is true even when the question is directed at specific cloud providers or services. Your focus as it relates to securing your cloud environment should be on the controls and tools you can leverage in enforcing your data and security policies. Luckily, Confluence provides straightforward permissions management controls from within the application that can help organizations control who can see and access content within their Confluence spaces.

What are the Confluence permissions best practices organizations should be aware of?

1. Have involved stakeholders become Confluence Admins

Proper security begins with good security hygiene. This is true of both individuals and organizations. That’s why one of the most important things that cloud adaptors can do is to identify stakeholders who will help manage their services and accounts and enforce proper user hygiene. This is a point we made when discussing how organizations can prevent PII leakage within Slack and manage Slack guest accounts. The always-on nature of SaaS applications like Confluence and Slack means that investing in stakeholders who have the time and resources to serve as administrators for these applications is critical. Active administers will be your first line of defense in securing your spaces and enforcing your data policies. Without active administrators serving as your organization’s eyes and ears, managing and enforcing proper user behavior as well as proper access restrictions will prove to be difficult.

2. Understand the interplay between permissions levels and restrictions

Confluence provides permissions controls at multiple levels and understanding this is key to making sure that no one is authorized to view, add, modify, export, or delete data in Confluence. Users may also have the ability to control who views content that they’ve created. Ultimately, it’s up to administrators to determine the “order of operations” for which specific controls apply to your organization's environment. Having an idea of where you’ll need controls - whether at the product level, site level, or organization level - will help make sense of how to set up these roles for your organization. Beyond this, you’ll need to ensure that the admins who have access to your Confluence admin console understand how permissions function in Confluence.

All paid instances of Confluence have three levels of permissions:

  • Global permissions which are broad and site-wide
  • Space permissions which uniquely apply to the space specified by an administrator (usually the space creator)
  • Page restrictions which allow admins to restrict the view or editing of specified pages by specific groups or users

In general, administrators have the ability to apply permissions to an individual user or to a created group of users. It’s important to note, though, that group permissions are additive within Confluence spaces. To illustrate this Confluence’s documentation provides an example:

Consider a member (Sasha) who’s been grouped into the “confluence-users” group and “developers” group. From the confluence-users group, Sasha is granted an “export” permission and from the developers group, Sasha inherits a “restrict” permission. Even though users in the confluence-users group do not have the restrict permission and users in the developers group do not have the export permission, Sasha will have both permissions by virtue of being a member of both groups.

Space admins will also need to be mindful of how they apply permissions. For example, it’s possible for someone to be a user of a space who has space wide viewing permissions, but who still shouldn’t be able to see specific pages. That’s where page restrictions will come in handy, as these allow specific users or groups within a space to be prohibited from seeing a designated page.

3. Monitor logs to track permissions changes across your spaces

Confluence and Jira provide product-specific audit logs that administrators within those respective services can access. Reviewing these logs can provide insight into who created or deleted a space or otherwise edited a space as well as changes to groups and user permissions. Doing so will help in the moderating of Confluence spaces and the Atlassian organizations they’re part of.

4. Properly onboard and offboard members

Finally, Confluence provides Admins to securely onboard new team members by only inviting users with a designated domain name in their email account. Organization admins who manage org-wide permissions should also be sure to remove employees who have left the company from the company’s organization.

What else can organizations do to secure their Confluence spaces?

Data visibility is critical to cloud security. This involves knowing the types of data you have in your cloud environments, which also means knowing where it is and how it’s being used. Ensuring that users abide by the access and permissions schemes in place is half the battle for organizations securing their cloud services and platforms. The other half of this fight involves leveraging tools to illuminate where your data is and how it’s being used. Data discovery platforms like Nightall can help with this. As the industry’s first cloud-native data loss prevention solution, Nightfall integrates with popular SaaS platforms like Jira and Confluence to help companies discover, classify, and protect business-critical data within these environments. Nightfall leverages over 100+ machine learning detectors tuned to industry-specific PII, PHI, financial data, and other sensitive information. Nightfall’s detectors are also trained on identifying this data within documents and images and other types of unstructured data, which are common in environments like Confluence and Jira. For a deeper dive into what Nightfall can do, check out our Atlassian marketplace page or schedule a demo with us below.

Nightfall Mini Logo

Getting started is easy

Install in minutes to start protecting your sensitive data.

Get a demo