Hi Kristian. 

Thanks for your fast response. Sounds both interesting. However ...

Micro-Confluence per Client would be far too complex to handle, as we have some 150+ customers. Which means, we would have to manage as many confluence instances as we have customers. I don't believe that would be very practicable with that amount of instances. Beside the cost factor, which would (most likely?) increase substantially for such a solution, I assume? That wouldn't be something that I could sell internally, that would ruin the business case.

The second option sounds at the first glance promising. I will have a look into it. The obvious drawback with that option which strikes me right now is, that we'd loose our document management system if we don't handle the documentation within confluence. We have implemented the Breeze DMS Solution in order to manage our documents in compliance with the given quality requirements set forth internally and by our customers.  I assume that viewport solution doesn't include a document control/management system similar to breeze?

Regards, Pat

@Patrick Geering 

You will handle everything in Confluence, only the 'consumption' level will be in Viewport.

I actually tested Viewport with B1nary's Breeze and it works - I had it configured using the Breeze's option of the secondary space for edits (approvals etc.) and discussed the options with Adrian Hulsmann at length :) 

So you can keep conducting your workflow/DMS in Breeze

In this scenario, Viewport would use your primary space as a content source, you'd use Breeze's working space (secondary space) for updates).

This will assure that Viewport would only work with final, approved version.

I think Adrian would not mind jumping on a call to discuss the details of the configuration (especially as I haven't worked with Breeze for a couple of months now).

Hi Kristian.

Thanks for feedback. Sounds terrific indeed. And knowing Adrian, he certainly wouldn't mind to jump into a call. I had some very infusing calls with him in the past regarding Breeze :-)

However, before we do so, I need to include a few more internal stakeholders in developing the idea and a potential business case. Some of the topics I need to clarify are hosting topics, like do's and dont's etc.

1. Do you know by any chance, how/where the helpcenter websites of Viewport are hosted? (InstantWebsites are hosted on AWS as I've learned. And that in any case, regardless if you're planing with a local host, via CNAME)
2. We're actually using SNOW as a helpcenter solution, and are currently amidst an internal project to restructure/simplify SNOW from scratch. So idealy, I'd see to have the created websites tied to the customer portals in SNOW, that would ease admin efforts regarding access and confidentiality topics (if that's possible with viewport?). So I need to discuss it with the SNOW project team on one side, and clarify for Viewport

I'll get back to you as soon as possible

Regards, Pat

Hi @Patrick Geering 

Perhaps we can get some K15t folks on the call too :D 

AFAIK, it's on AWS. 

There are helpdesk integration options - https://help.k15t.com/scroll-viewport/help-desk-integrations

They're also launching a new iteration of Viewport, Scroll Sites, which is a major revamp of Viewport so there's definitely more to look into.

As for confidentiality, Scroll Documents can be expanded with Variants module which allows you to configure conditional content.

In my config, we have a single space for our product docs - from which we create two Viewport sites - public and internal.

The internal site is behind SSO and has about 200 pages more (some pages have both public and internal only content that only appears on the internal sites. I know they have customers who have a public site and then an SSO site that customers can access for non-public info.

So again, you can build multiple pairs of sites, each pair for a specific client.

Anyway, this is gonna be fun :D 

Attaching a couple of links:

https://help.k15t.com/scroll-viewport/how-secure-is-scroll-viewport

https://www.k15t.com/trust

https://help.k15t.com/scroll-viewport/connect-a-custom-domain

https://help.k15t.com/scroll-viewport/set-up-authenticated-access

Hi @Patrick Geering

@Kristian Klimaalready did some great explanation about Scroll Viewport (and its upcoming new major version Scroll Sites)

To your questions specifically:

1. The Viewport sites are hosted on AWS (US West Region). More on How Viewport Accesses Your Content on Confluence 
2. I'm not familiar with SNOW customer portals but when it comes to managing access to your site, Viewport sites can either be fully public (available to anyone on the web) or protected behind a login.
   The login can either be an access token that you generate in our app or a Single Sign On using an identity provider of your choice. Maybe SNOW can be configured to use the same identity provider?
   You can read more about your Viewport site authentication options on Set Up Authenticated Access

We'll be happy to jump on a call to demo any of these options to you!

- Laura (K15t)

Hi @Patrick Geering

@Kristian Klima informed me about your challenge and the potential solution to use Scroll Viewport. As you can see, we are all well-connected with each other. :) 

And yes, Scroll Viewport works fine with Breeze. Basically, Breeze takes care of the "doing" part (Confluence) while Scroll Viewport is for the consumption part (external website).

Of course, we are happy to further discuss your challenge in a video call. I'm sure, we can also have a mutual call with our partners from K15t - nothing is impossible. :-)

Meanwhile, we will also check on the @mentions problem stated below and see whether Confluence can be configured to truly separate users from different spaces in terms of GDPR.  

All the best,
Adrian from B1NARY

Hi @Laura Parraga -K15t- . Thanks for your feedback.

Public publishing is not a topic given the sensitivity of the information as mentioned in my initial post. I need to check with our IT department, if we potentially could extend our SSO solution to the AWS infra as you mentioned. Everything else wouldn't be feasible in regard of additional admin efforts. And after all, our compliance team has the last call on deciding, if we can place that kind of info onto an external hosting site such as AWS. as I correctly understand from your reply, there's no choice on where to publish the export: it's either AWS or none. There's no possiblity to select another target such as our own cloud infrastructure site.

So now I have some inputs together, that I can work with in regards of further internal analysis and in setting up a business case for our management.

If required, I'll come back on the offer to conduct a joint call with you and breeze.

In the meantime, thanks to everyone (especially @Kristian Klima ) for their great inputs.

Regards, Pat

Hi @Patrick Geering

We further investigated your use case and think that the user guests feature of Confluence most likely fits your use case and could solve your problem.

👉 Read more about Confluence user guests here and here.

Using guests, you can separate external customers from each other and organize them into dedicated spaces. This should solve your GDPR problem since guests do not have access to the internal user info, including:

• @ mentions

• the Teams tab in the top nav bar

• user search

• user pickers.

However, a downside could be that guests cannot access Forge apps (such as Breeze) yet, which is a highly requested feature from us developers.

*Please note that here it says, "Just as guests have free access to Confluence, so will they have free access to all  Marketplace apps you’re using on Confluence.

However, this is not quite correct. This is true for "Connect apps" but not for "Forge apps", which are built on Atlassian's latest development technology, Forge.

For you, this would mean that your internal users can still use Breeze as usual for document review and approval workflows. However, external guests simply do not see the app.

@Adrian Hülsmann - B1NARY which would work for @Patrick Geering unless Guests (customers) are expected to contribute to the workflow-dependent content.

Well, they could edit articles in the workflow space (losing their access to the main space temporarily), but they wouldn't be able to interact with the Breeze workflow.

I believe this approach with the guest role could actually work out ...

1. as our customers are not supposed to create or edit the content which we want to share with them. If at all, they should have the possibility to comment on certain topics, but that's not a must criteria.
2. as our customers have access to the final customer site only (each customer with it's own), and not on any other space, not even on the working copy space
3. as the final customer space is declared as 'read only' for all internal users as all other spaces we have the DCM process enabled, in order to enforce them to use the Breeze document control process. The only means of changing documents for internal users is, to to this via working copy space. Ergo, potential guest users will also have no possibility of changing existing content nor will they be able to add any content such as new pages to their space etc. At least that's how I interpret the guest role in such a case ;-)

I'll point out that possible approach to our IT team. Thanks for the input

Regards, Pat

Let's not mix things up, because guests can contribute to workflow-dependent content, depending on someone's understanding of "contribute". (PS: I know, you refer to the Breeze "working copies" feature, but this might confuse readers without knowing it in detail.)

To clarify: guests could work on their space depending on their given permissions. So they could be configured to only read content from "their" space or also to edit the content of this space. All of this while keeping them separate from the internal users (and other guests), which is what @Patrick Geering has requested and (I think) could solve his main problem.

I mentioned that guest users cannot (yet) use Forge apps, i.e., they cannot trigger any of the Breeze features. But should they? Or are review and approval only part of the internal team? That's the remaining question.

To be clear, guests can work on the content of "their" space, which underlies a review/approval workflow. While guests cannot trigger Breeze's functionality, they can nonetheless work with their content (which could be enough, aka the "remaining question"). To go one step beyond, guests can still benefit from Breeze, e.g., by accessing the Breeze reports created in "their" Confluence space. So there is still room for incorporating some of the Breeze functionality for guests, even if guests are not able to trigger the app functionality themselves. 

But this discussion will be worth a call. 🙂

I think we're all talking about the same thing but from three different perspectives :) 

aaah yes true... I forget about that sorry 

this can be a problem in this case here. 

the other approach will be to have a dedicated Confluence site for each customers, but this can cost quite a lot of licence fees.

Dam.

Hi Marc and DAM.

Yes, that user mentioning is exactly one of the issues that I currently see. As we have a NDA with most of our clients, that would definitely work against the confidentiality part. And of course it would also be an issue in regard of GDPR compliance. I'm not sure if eMail aliasing would work, but as confluence itself sends the eMails, that is to my knowledge not supported in confluence.

And I'm not quite sure, if users, even thought they can't access any other workspaces, are not able to see the other workspaces in the confluence instance. That again would be the same issue as with the user visibility.

Using an instance per customer is not feasible as I explained in my answer to Kristian Klima (https://community.atlassian.com/forums/Confluence-questions/Re-Re-GDPR-compliance-for-Multiclient-Use-of-Confluence/qaq-p/2998309/comment-id/339236#M339236)

Regards, Pat

Hi DAM.

As explained, the user mentioning is one of the issues, the other is the visibility of the spaces. Access can be restricted, correct, however not the visibility of it. At least that is what I experience in our current setup. (even thought I have no access to the HR Workspace, I can see that there is such a workspace. That is unfortunately not in line with the confidentiality requirements set forth). But maybe there's a solution to it by using another configuration approach. But keep in mind, we're talking about 150+ spaces, so potentially additional admin efforts coming with another setup, would have to be more or less reasonable.

Regards, Pat