GDPR (DSGVO) and Security for Confluence
- Marek Wowra (Deactivated)
- Alexander Gorshenev
- Laura Niedermayer
| GDPR (DSVGO) Suite, user anonymizer, information announcement, automatization with Data Rules and much more |
Cloud version in development. For full functionality try Server or Data Center version.
Introduction to GDPR (DSVGO)
The GDPR seems to be very complicated, but basically, it's very simple. In the EU every citizen has the rights to his full personal data, at every time! He/she has to be informed, when personal data is involved, what exactly it is used for, he/she has the right to make a request for erasing the data (it has to be removed completely)and, that what's very important, he/she can always make a request to the company and has the right to get, written and clearly where the actual data is involved right now. It is in the responsibility of the company to make that sure.
Read this first, for understanding GDPR
There are three ways your company can be affected by GDPR Law.
- An employee leaves the company and want's to sue the company, he finds a good lawyer, and they talk about GDPR in Terms of the company
- There are plenty of layers that already looking for a possibility to sue a company for making money. So they write a warning to get money
- A client can reach out to the company, with request of getting information in relation to his personal data
User Anonymizer
Sometimes you will have to anonymize the content of a specific user, perhaps because he's leaving the company. We build our tool to not only make this possible. We also implemented some other possibilities for specific use cases
Use the options available, to anonymize the user in the sense of specification.
For a more powerful usage of the User Anonymizer there is special option named "Trigger anonymizing user event" that allows to start your custom anonymization functions by using listening to this event. Learn more about how to do it in next article Handle UserAnonymizationEvent.
Information Announcing
This feature is used to enable the user to show and accept your privacy policy or the term of use.
Everyone who is using Confluence leaves some of his own personal data within the system.
According to the law, he or she has to be informed about what the data is used and has the right to agree or disagree with that agreement.
For that case, we build an automatic Information Announcing system.
So you don't have to keep it in your mind, which one of your Confluence users already agreed or not.
Also, every new user gets at first to read the Information Announcing before using Confluence.
With our system, you fulfill the law completely and can prove this information anytime, if you must show it to an overall government instance.
Click on the Information announcement
Create your announcement.
You got fallowing options:
Enabled : by clicking here you enable the announcement
Name : enter the name of the announcement
Type : here you can choose between Optional and required
Title : enter the title of it
Main Text : put here your main text
Data Level Agreement
GDPR agreement has to be based on reformation your data management practices & data architecture and defining your technology stack or making use of the processors that can help you meet the terms with various touch points of the regulation. We can say like, this is a very powerful tool to automate the deletion process.
Rule Name : Enter the Name of the Rule
Cron expression : enter the period you wish the rule to be accomplished in
For example: "0 0 1 * * ?" -every day at 1 AM
"0 0 12 */7 * ?" -every 7 Days at noon
"0 0 12 1* ?"- every month on the 1st, at noon
CQL : Advanced searching using CQL
Examples:
- siteSearch~"identity Document"
- space= HR AND lable = cv AND created < now("-4W")
for more Info https://developer.atlassian.com/server/confluence/advanced-searching-using-cql/
Action : you can choose between
- send a notification via Email
- add a comment to the page/s
- delete page
- set page restrictions, here you have to select a group to those the rules apply
Access Statistics
Overview
Track and store all "Page View" events for any user (including anonymous).
Provide ability to filter access statistics by space or page in space (who have accessed the page and when).
Provide ability to filter access statistics by user (which pages user have seen and when).
Store statistics for some configurable period (by default 3 months); the time period is configurable.
This feature can be activated and deactivated by the Confluence system administrators.
You can select a filter for the results of the permission monitoring. You can choose from User, Space, Page, Date from/to and Sorting by.
Then click on the blue button "Filter" to see the results
Configuration
Configuration is available on "GDPR and Security for Confluence settings" page.
There are following options:
'Enable Issue access statistics tracking' checkbox allows user to turn this feature off/on. The data will not be logged after checkbox is unchecked. All previous data is saved.
'Purge Issue access log after X day(s)' allows user to set a term of cleaning data
Use cases
Filter access statistics by space or page in space
In case you want to filter access statistics by space or page in space (who have accessed the page and when) you can select a value for 'Space' column and then if needed for 'Page' column.
'User' column becomes unavailable.
The filter results are shown in a table format. The columns are date, space, page, user, IP address and access type (from the browser or REST API). The app differentiates between a browser call which was made by any browser and REST call which was made for example by a 3rd party application.
Filter access statistics by user
In case you want to filter access statistics by a user (which pages user have seen and when) you can insert value for 'User' column.
'Space' and 'Page' columns become unavailable.
Download CSV file
Also you are able to download CSV format file with output result. To do this just click on 'Export CSV' button and .csv file will be downloaded on your computer.
View Permissions
We build different GDPR tools to help out the system administrator. In many associations, multiple projects have the same requirements regarding access rights. Our view permission feature prevent having to look up permissions individually for every project or user across the entire Confluence instance. Once a user has view access permission to a project, you will see it in this tool.
There are several ways to verify if someone has a certain permission. But the easiest and fastest one is to use the View Permission tool, if you want to know if a user have access to a project, for this.
You have the choice to filter by User or by Space
Type in the User or the Space you need to see the permissions for
Permission Monitoring
This tool provides the ability to get all necessary permission for all change events, for example like user creations, user profile changes, user added to a specific Space role, user deleted from Space roles, etc.
You can select a filter for the results of the permission monitoring. You can choose from User, Users in Group, Space, Event type, Date from to and Sorting by.
Profile Visibility
your company provides user guides and admin guides for different clients. Some users have access to space A, some to space B and you don't want to allow users to see each other profiles.
Because user profile contains full name, email, some user activity information (phone optional, location optional) and you want to isolate users of client A from users of client B, in one Confluence.
In this case, it's about custom profile visibility rules.
With this function, any user is able to hide his profile from everyone.
Known Issues
1. Information Announcing. While creating or editing an announcement, there might be an error message in browser console similar to the image below:
