Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Beware: 'confluence-users' group is now added as default when you create a new space

fonda
fonda
Contributor
February 7, 2024

I've raised this with Atlassian (and assume nothing will be done) but wanted to share this with the community in case it's useful --

We use Jira and Confluence as a digital agency, which means we don't just have internal company users - our clients use our instance too (and we just customise user or group settings so they can't see projects/spaces they're not meant to).

We just noticed a big change to Confluence permissions (not sure how new they are) - the 'confluence-users' group is added to new spaces, with full access by default (view, create and delete pages, etc). Traditionally, anyone who needs to access Confluence needs to be added to the 'confluence-users' group (that's our understanding anyway). Therefore, if Atlassian have now set it up so that all new Confluence spaces will include that group by default, everyone you've added to that 'confluence-users' group can view each others' spaces, even if they're not meant to! In other words, your entire Confluence user base as access to your Confluence spaces (unless you've specifically restricted a space or page - I've noticed that still works, thank goodness).

For us, that means clients were able to see new pages being published (unless we adjust the permissions for the 'confluence-users' group in each space).

Generally, yhis poses massive privacy issues as you can imagine. The only way to get around this issue for us was to (quickly) go through each space, remove that group's access wherever necessary, ie:

  1. Go to each Confluence space's 'Space settings'
  2. Find Space permissions > Groups
  3. Hit 'Edit' > Uncheck the 'View' box for 'confluence-users'
  4. Hit 'Save'
  5. The 'confluence-users' group should disappear (the rest of the access remains the same)

Note that this was possible to do quickly because:

  • We don't have hundreds of spaces
  • I have 'god' admin so I have all the permissions to do whatever is required
  • I set up our Jira and Confluence so I have all the understanding of groups, users, access, etc
  • We don't store absolutely everything (confidential or otherwise) in Confluence! It has been discussed we should, but after this issue, nope

I don't even want to think about the implications of having thousands of spaces and a massive user base.

We only discovered this problem because a team member had to create a new space yesterday and I hadn't gotten around to checking the Group permissions tab (not knowing this permissions section had changed), and a different client told us they could see this client's space and had received notifications about it.

Separately, I started receiving notifications about new pages being created in a client's Confluence instance (which again, we shouldn't have access to and had originally put down to user error!). Strange coincidence, but glad it happened because it allowed me to analyse what was going on in our instance and mitigate the risk as fast as possible on our end.

Even for an enterprise not using their instance with external people, this still poses issues, and the impact could be dire, especially for people who:

  • Don't know about this Confluence permission change
  • Don't have any understanding of how the 'confluence-users' group works or why it even exists
  • Don't have quick access to change Confluence settings (due to being in a large organisation or just not having the right level of access)
  • Have users who are lax with restricting access to pages with sensitive information

We can't possible be the only ones who experienced this?

 

 

Comment
Watch
Like # people like this
2852 views

2 comments

Comment

Log in or Sign up to comment
Juan Leon
Juan Leon February 16, 2024

We have had a similar experience and faced similar choices.  Removing 'confluence-users' as a group from a space seems like a drastic step--but we aren't seeing an alternative.

I am concerned about unintended consequences--effects on apps in particular.  

Reviewing user groups from our Global Permissions page, we see dozens of apps included as members of 'confluence-users'.  So, I hesitate to remove that group from a space.

There must be a straightforward way to provide a user account access to Confluence and the site's core displays/functions without also granting access by default to every space on the site?

Any corrections, clarifications, or tips would be greatly appreciated!

 

 

 

Like
Reply
Thiago P _Atlassian Support_
Thiago P _Atlassian Support_
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 16, 2024

Hi fonda, how are you today?

This is Thiago with the Confluence Cloud Support Team, please allow me to chime in here.

You are correct to assume that a user needs to be part of the confluence-users group in order to be able to access Confluence. Your Site Admin may be able to change that group's name to something else, but there's always a default access group.

It seems like the confluence-users group was originally not part of all new Spaces on your instance - is that correct?

We suggest you to check the Default Space Permissions menu as we can define those for all new Spaces created.

In order to check that, just navigate to the following link:

  • https://<fonda>.atlassian.net/wiki/admin/permissions/viewdefaultspacepermissions.action

PS: you'll need to replace <fonda> with your Site name.

I'm not 100% sure, but I believe that We can confirm that a vanilla Confluence Cloud instance will allow all users access to new Spaces - in other words, the confluence-users group will be present by default and by design. Let me confirm on this and get back to you.

This happens as Confluence is meant to be an open and collaborative platform for Teams to share information. As we know not all contents are meant for everyone's eyes, the product allows for restricting access to specific users and groups.

We hope this information helps, feel free to add more comments if you have any further questions or concerns.

Like # people like this
julius schulze
julius schulze
Contributor
May 15, 2024

That worked for me, thanks a lot cause i already needed to edit around 70 areas to delete the confluence user group :D 

 

Like Thiago P _Atlassian Support_ likes this
Justin Garrett
Justin Garrett June 2, 2025

Hi @Thiago P _Atlassian Support_ 

Just come across this situation myself and had a question.

We need to give a client access to more than one space (ie cannot therefor be a guest) but as soon as they get issued a full Confluence license they automatically get added to the confluence-users group. No way of removing that for a user as it then removes the license.

Q: is my only option to go through the space permissions for each space in our organisation to remove the confluence-users group?

We currently have over 200 spaces and I really do not want to have to do that!

I have said it before and I will say it again, Atlassian's permissions structure is the worst out of every single platform that our organisation uses, they are so illogical compared to most 

 

 

Like
Thiago P _Atlassian Support_
Thiago P _Atlassian Support_
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 2, 2025

Hey there Justin,

I understand where you're coming from, so please allow me to add some context.

Confluence was built to be an open collaboration platform, and you are allowed to restrict access to specific users and groups as desired, such as Human Resources, Legal or IT. The default access group is indeed confluence-users (which can be changed), and is added to all new Spaces by default (which can also be changed).

It sounds like your Site was built with the assumption that anyone accessing it would be a regular employee with free access to all contents (unless configured otherwise) and not accounting for the need to add clients, so you may need to further restrict your Spaces based on specific audiences, such as an 'employees' group.

Given all that, Confluence now has a Bulk Space Update solution for this kind of scenario.

In order to remove the confluence-users group from all Spaces:

  1. Log in to Confluence as an Administrator
  2. Click the cog icon to navigate to Confluence Administration
  3. Under Security, click on Space Permissions
  4. Under 'Add people to all spaces', click on 'Choose a user or group'
  5. Under 'Choose who to add or remove', type in confluence-users
  6. Under 'Choose which spaces', select Communal, Personal or both
  7. Under 'Choose space permissions', make sure that all boxes are unselected
  8. Lastly, click on 'Remove from all'

Once done, the confluence-users group will be removed from all Spaces.

Please note that this action cannot be rolled back, so make sure to check if doing this won't cause any adverse effects like restricting access to spaces.

The same approach can be used to add a new group (such as 'employees') to all Spaces.

Hope this information helps =]

Like
Reply
groups-icon
Confluence Cloud Admins
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security