This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

News

Stop “Forever Access” and Automate Least Privilege

By Heinrich Ulbricht |

What does the Need-to-Know for Confluence app even do?

Short Version (TL;DR)

If users don’t access content for a set time span, their access will automatically revoked by the app.

No group memberships are touched, no admins are required.

Longer Version

Assume Confluence pages that are not open to everyone. You must restrict access to a well-defined audience for confidentiality or compliance reasons.

The image below shows a sample subtree of confidential information. The four pages beneath the FW47 Aerodynamics Package page must be accessible only on a need-to-know basis:

How do you make sure only the right audience has access to those pages?

Let’s look at what’s possible with out-of-the-box Confluence (spoiler: it’s not sufficient) and how Need-to-Know for Confluence is your solution.

Need-to-Know Enforcement: A Half-Measure

Restricting access to information?

Easy,” you might say. Have your admins create user groups for the project. Restrict access to those groups:

Looking good?

No. Here’s what will happen:

Your project team grows, new team members join:

  • People are added to the project groups, but will never be removed again; they’ll have access as long as they are around in Confluence.
  • People are added to the restrictions list on the fly, as single users, instead of being added to the project groups.

People leave the project:

  • Who thinks of removing them from the project group? (Nobody.)
  • Who’s able to remove people from the project group? (Admins. Try getting hold of them.)
  • The project group is getting re-used in multiple places. Who’s going to dare remove people from the project group? (Nobody.)

In the end, too many people have access to information for way too long.

There needs to be a way to remove access for users that don’t need that access anymore.

Maybe just like with physical key cards that auto-expire when not being used for a couple of months. No manual intervention required; it’s automated.

That’s where Need-to-Know for Confluence comes in, solving all of the above issues.

Need-to-Know Enforcement: The Right Way

The Need-to-Know for Confluence app is the missing piece for automating the need-to-know principle.

In a nutshell, the app keeps track of who accessed content and removes access for accounts that haven’t accessed it for a set time period.

The app manages access in a secure manner that does not change group memberships and also cannot broaden access, just narrow it down.

Need-to-Know for Confluence automatically removes access to protected content from inactive users. Restoring access is as simple as clicking a button, all without involving a Confluence or site admin.

Codegeist 2025

By Heinrich Ulbricht |

The Need-to-Know for Confluence app has been announced as part of the Atlassian Codegeist 2025 hackathon. See the contribution here: Need-to-Know for Confluence @ Codegeist 2025

Have a look at the video below to get an overview of the app: