Overview
This is a guide about best practices in the use of Confluence (confluence.uoregon.edu).
- Responsibilities of Users
- Your Space Administrator(s)
- Restricting Access to Pages
- Content That Should Be Protected or Not Stored In Confluence
Information
Responsibilities of Users
As a computing resource, Confluence.uoregon.edu is covered by the UO Acceptable Use Policy.
Specific responsibilities that you should be aware of in the Acceptable Use Policy apply to your responsibilities as a user of Confluence:
- Do not share data from this site with people that do not have access, including sharing your login credentials.
- Do not create inappropriate content.
- Do not misuse content to which you've been given access.
Your Space Administrator(s)
The Space Administrator is the person who granted you access to a particular space.
The Space Administrator can elaborate on the default permissions of the space they administer, and the default permissions that the child pages you may create will inherit.
To determine who the space administrator is for a given space, go to the Space Tools. After clicking into a space, select the cog in the lower left corner, and then select Overview.
Restricting Access to Pages
The basic limitations of which groups or users can see pages within a given space are set by the Space Administrator(s) for that space. Although it's not possible to allow more access to an individual page than to the space it's in, you can restrict the page beyond the space's restrictions. Specifically, you can limit viewing and/or editing privileges to a specified set of users and/or groups.
For more information about restricting a page in Confluence, please see the following Atlassian guide:
Page Restrictions in Confluence
Best Practices for page restrictions ensure that pages with sensitive content are limited to viewing and/or changing by specified individuals. Here are some guidelines for restricting pages in a Confluence space:
- Only users/groups that can access a space can be granted page restrictions.
- Page edit restrictions are not inherited by child pages.
- Page view restrictions are inherited by all child pages.
- Restrict viewing on pages that:
- Contain sensitive information, either within the page or in attachments.
- Contain information that could be used to make a service or system vulnerable to attacks.
- Restrict editing on pages that should only be changed by certain individuals.
- Note: Global Confluence Administrators can always view or edit any content in any Confluence space. The only global confluence administrators are the Information Services account administrators and application support.
Content That Should Be Protected or Not Stored in Confluence
Although precautions are taken to ensure Confluence is secure, it is still possible for the information in Confluence to be compromised, due to either an application bug or misinterpreted permissions. Ideally, for security and privacy, sensitive information should not be stored in Confluence, either within a page or as an attachment. If the data is needed in order to collaborate, access to that content should be heavily restricted to only the users that have a business need to know it, and then removed when it is no longer needed.
Such information includes:
- FERPA-protected information, including:
- Student names, addresses, and information
- Please treat these as FERPA-protected — even information that's considered "directory information" at UO. Any student can turn on a directory restriction at any time.
- Sensitive Personally Identifiable Information (PII), which may include:
- Social Security Numbers (SSNs)
- Personal Identification Numbers (PINs)
- UO ID numbers (95 numbers)
- User passwords, even for Test users
- Health Information (HIPAA data)
- Credit Card Information (PCI data)
- Usernames and passwords
- This includes for users or for non-person accounts.
- Alternatives include password manager applications such as KeePass and Password Safe.