Guide for Global and Space admins
- 1 Overview
- 1.1 Privileges of Global Admins
- 1.2 Best Practices & Tips for Global Admins
- 1.2.1 External Links Overview
- 1.2.2 Activity Tracking
- 1.2.3 Define Space Configurations
- 1.2.4 Permission Schemes
- 1.2.5 Access Controls
- 1.2.6 Customization capabilities
- 1.2.7 SSO Configuration
- 1.2.8 Other Security & Content Policy Management
- 1.2.8.1 Custom Content Security Policy
- 1.2.8.2 Origin Opener Policy
- 1.2.8.3 Origin Resource Policy
- 1.2.8.4 Origin Embedder Policy
- 1.2.8.5 SameSite Cookie Restriction
- 1.2.8.6 Fallback User for Inactive Shares
- 1.2.9 Mass delete
- 1.2.10 API
- 1.2.11 Review errors
- 1.3 Privileges of Space Admins
- 1.4 Best Practices & Tips for Space Admins
- 1.4.1 View links
- 1.4.2 Activity
- 1.4.3 Space Configuration
- 1.5 Additional Resources
Overview
As a global or space admin in External Share for Confluence, your role is to ensure secure, efficient, and well-governed sharing of Confluence content with external users.
This guide explains admin privileges, how to manage external share links and apply best practices.
It also highlights precautions that are often overlooked, with a focus on security, privacy, and compliance.
Privileges of Global Admins
Global Admins manage the app at the instance level. They define organization-wide rules, security policies, and integration settings that affect all spaces and users.
Privileges | Authority |
|---|---|
Instance-wide visibility across all spaces. | |
Access audit logs for all shares and actions. | |
Create and edit space configurations. | |
Enable or disable permission scheme and grant or revoke permissions. | |
Set IP restrictions. | |
Enhance share link security by configuring SSO. | |
|
|
Delete all links across all spaces. | |
Generate API keys and leverage External Share's functionalities through APIs. | |
Access error logs in Instance Errors tab. |
Best Practices & Tips for Global Admins
Global Admins can leverage system-wide features to streamline external sharing, enhance security, and maintain compliance.
External Links Overview
View all external share links across spaces: a global admin can see link information, including the number of times it has been opened, password, expiration date, link status, and options.
Search - filter them by space/page/link name, link status, last modifier, selected users, and shared page UUID. Also, the admin can customize columns.
Each external link can be viewed in detail by opening it and using the action button on the right(edit/send via mail/delete).
Perform bulk updates and bulk deletion
We provide functionality to export the list as CSV files. The exported CSV files include all relevant data columns and maintain the same order as displayed in the external share app.
Activity Tracking
As a global admin, you can monitor external share links activities,:
Filter them by space, page, source (page, comment, attachment), action type, user, or email.
Track who viewed, edited, or updated links and review user details.
If the external viewer is not registered, only an anonymous icon and IP address will appear.
If the viewer registers and creates an external account, the admin can view username, email address, and IP address.
External viewers can create an External Share account to manage links shared with them.
We provide functionality to export the Activity list as CSV files.
Define Space Configurations
Global Admins control how external share links are created by managing space configurations.
In “Editing Default Configuration” you can:
disable or enable all link options,
enforce security options - set a password or expiration date required or make all links have a custom expiration date,
restrict email addresses or domains for the selected user functionality.
Logic of restrictions
Global Admin settings override everything. If an option is disabled globally, space admins and users cannot enable the feature.
Start with control, then allow flexibility
Decide whether External Share should be enabled at all for associated spaces.Balance collaboration and security
Allowing comments, attachments, or editing can speed up teamwork with external collaborators, but think carefully about which features are safe to enable at the global level.Use security settings wisely
Enforce expiration dates, passwords, or SSO where data sensitivity is high. Optional settings can be left to space Admins, but required rules are useful for compliance or company-wide policies.Restrict by users or domains when possible
Limiting access to trusted email addresses or domains helps reduce the risk of accidental oversharing.Keep an eye on audit logs
Regularly review who has changed configurations and when. This is the simplest way to stay on top of potential risks.
For more details on configuration options, see: Global Space Configuration.
Check detailed explanation about each configuration options like Private attachments, Selected users.
Permission Schemes
Permission Schemes allow global admins to control which users can manage External Share operations.
When disabled, all users have access to External Share features on all pages.
When enabled, you can assign specific permissions to user groups for each operation.
Permission Schemes are useful when:
You want only space admins or selected groups to delete shares, while others can only create or view them.
You need to limit who can send shares by email to maintain control over communication with external users.
Read more here: Permission schemes
Access Controls
Global admins can restrict users who can access External Share links based on their IP address.
Customization capabilities
Global admins can customize various elements in External Share:
Custom Email: Replace the default email (
no-reply@external-share.com)Custom Domain: Replace the default domain (
confluence.external-share.com)Email Template: Personalize email templates sent to external users
Page Customization: Adjust external page appearance (colors, links, fonts, etc.)
Read a blog article about page customization - Fresh Look at Page Customization for External Share for Confluence
SSO Configuration
Global admins can set up single sign-on (SSO) to allow users to access multiple systems with one set of credentials. This provides:
Improved security
Time savings
Better user experience
Other Security & Content Policy Management
Global Admins can configure advanced content policies to ensure safe and compliant sharing.
Custom Content Security Policy
Add custom domains to be included in the CSP header.
Origin Opener Policy
Isolates your site’s browsing context from others.
Improves security (prevents access to window references or shared memory).
Enhances performance (enables high-performance features safely).
Origin Resource Policy
Controls which domains can load and use your resources (images, fonts, stylesheets).
Origin Embedder Policy
Defines how cross-origin content is embedded.
Helps prevent data leaks across iframes and mitigates Spectre-like vulnerabilities.
SameSite Cookie Restriction
Lax: Safer, cookies limited to same-site contexts.
None: Required when logging into password-protected External Shares within third-party frames.
Fallback User for Inactive Shares
Automatically assigns a designated fallback user when the original share owner becomes inactive.
Ensures uninterrupted access for external users.
Mass delete
Global admins can delete all external share links.
API
Global admins have ability to create API keys in global settings. Once API key is generated by global admin, any users with access to the API key can perform API operations. These actions include getting, listing, creating, updating and deleting shares.
Refer to our API documentation for more detailed API settings and endpoints explained with several functions.
Review errors
Global admins can view and filter errors in the Instance Errors tab.
Filter by: date range, type, level, message, or shared page UUID.
Details include error type with error message, error level, created date and time, log ID, share ID, Share UUID
Privileges of Space Admins
Space Admins have authority within their assigned spaces to manage external share links.
Here’s a summary table of space admins’ key capabilities:
Privileges | Authority |
|---|---|
View and access all shares created in their space. | |
Access audit logs for all shares and actions in their space. | |
Set Space Configurations, including the following sections:
|
Best Practices & Tips for Space Admins
Guidelines and recommendations to help space Admins manage external share links.
View links
Space admins can view all shared links that are created in that space.
View all shared links in the space.
See details such as number of times opened, password, expiration, link status, and options.
Search and filter by page, link name, status, modifier, selected users, or UUID.
Open links for details and use the action button (edit/send via mail/delete).
Perform bulk updates and deletions.
We provide functionality to export the list as CSV files. The exported CSV files include all relevant data columns and maintain the same order as displayed in the external share app.
Activity
As a space admin, you can monitor external page links activities.
Filter by page, source (page, comment, attachment), action type, user, or email.
Track who viewed, edited, or updated links and review user details.
If the external viewer is not registered, only an anonymous icon and IP address will appear.
If the viewer registers and creates an external account, the admin can view username, email address, and IP address.
External viewers can create an External Share account to manage links shared with them.
We provide functionality to export the Activity list as CSV files.
Space Configuration
Space Admins can fine-tune how External Share works within their space. While global admins set instance-wide rules, space admins adjust settings locally to match the needs of their teams.
Enable feedback, not full editing
Comments are great for gathering input by external collaborators, but allowing external editing on page content can cause confusion. Keep editing disabled unless absolutely required.Keep public links under control
Public links are useful, but risky. Use them sparingly, and prefer restricted access whenever possible.
Share what matters, not everything
Limit access to page history, status, or child pages to avoid exposing unnecessary content. Only share what external users truly need.Put guardrails on security
Set expiration dates and passwords as defaults. These two steps alone reduce the risk of long-term or unauthorized access.Restrict to the right people
Limit shares to trusted email addresses or domains if you regularly work with partners. This keeps out unwanted access.Stay alert with audits
Review who created or updated configurations and when.
Delete all shared links within the space if needed.
Logic of restrictions
Space Admin settings override user-level options. If a feature is disabled at the space level, users in that space cannot turn it on when creating a share link.
Similarly, options set at the global level cannot be overridden by space admins.
See detailed explanation about each configuration options like Private attachments, Selected Users
Additional Resources