Documentation's navigation

On this page

The user visibility in Confluence, when you use the Space Privacy app, depends on several factors.

These factors are:

  • Context (global or extranet space);
  • Space Privacy settings (visibility configuration);
  • Extranet space assignment (is an extranet user or not);
  • Extranet role (extranet user or extranet manager);
  • Internal User (member of an internal group);
  • The action you want to perform (search, mention, etc.).

What are internal groups?

Members of internal groups can always see each other, regardless of their assignment to extranet spaces.

For example, you can define internal groups, so that your own employees can continue to work together as usual - even in extranet spaces.

Internal groups are excluded from filters by Space Privacy. To achieve this, you will need to define Confluence groups in the Visibility configuration tab.

How do I define internal groups?

Navigate to Confluence Administration → Space Privacy → Configuration → Visibility.

In the Define internal groups section, enter the internal groups' names.

The configured groups must exist in your Confluence instance.


Internal group members can see each other, but they can only mention each other in Extranet spaces, if they are part of said Extranet spaces.

The visibility is dependent on two different contexts:

  • Global context: people directory, search, ...
  • Space context: mentions, restrictions, ...

This means that even if two people can see each other in the global context, they don't necessarily need to be able to see each other in the space context.

If you are facing issues with visibility in the Extranet, check if said persons are assigned to said Extranet space(s).

Internal groups mode


After configuring internal groups, you can set the internal groups mode. This option is new in Space Privacy 3.0.

Members can see all users and groups without restrictions.

With this setting, the internal group members can use Confluence with minimum restrictions (as if Space Privacy is not installed).

We recommend this setting when you use an instance both as your Intranet and Extranet.

Members can see each other and any user or any group with whom they share an extranet space...

This was the behavior before the internal groups mode was introduced (before Space Privacy 3.0). Only internal groups members, which are also Extranet User Managers, can use the Confluence functionality.


This option still comes with some restrictions.

Firstly, extended restrictions still apply to users defined by this internal groups option.
For example: User A can see every other member of the internal group and they can also see any users with whom they share an extranet space. As long as User A is not a user/space manager, they still could be blocked from viewing certain URLs.

Secondly, these users are not immune to custom filters.
Even though User A is part of the internal group, depending on the filters, they might not show up in a custom filter or the filtered people directory.

Please note that Space Privacy and internal groups affect other Linchpin functions.

If internal groups are used, only members of those groups have access to such functions (e.g. Org Charts).

Who are extranet users allowed to see?

Scroll down to the Extranet users are only allowed to see users... section.

Here you can choose whether users that are not assigned to an extranet space should be visible to all extranet users or not.

Only users with whom they share at least one extranet space.

This option limits extranet users. Extranet users will only be able to see other users who are also assigned to one of their spaces.

We recommend this option for most extranet configurations.

Only users with whom they share at least one extranet space and all users who are not assigned to any extranet space.

This option allows extranet users to see users who are assigned to the same space and, additionally, all users who are not assigned to any extranet space at all.

You should select this option to allow all external extranet users to see all of your internal users.

Which users are Extranet users managers allowed to assign?

You can choose whether or not extranet user administrators can assign all users from the system to an extranet space. This option is relevant when you want to allow external users to manage their own extranet spaces.

All users that exist in the system.

Select this option to allow extranet user administrators to assign all users that exist in your system to an extranet space.

We recommend this setting when extranet spaces are managed by internal employees.

Only users with whom they share at least one extranet space.

Extranet user managers can only assign users to their space with whom they share at least one space.

We recommend this setting when external users manage their extranet spaces when they are assigned the extranet user manager role.

Recommended configuration      

Every use case may need an individual configuration, but we still have a "best practice" we would like to share with you.

We recommend to always use internal groups!

A group like "non-extranet-users" does not exist in Space Privacy. Space Privacy only differentiates between users in extranet spaces and "internal users". For the best user experience for internal employees, always choose Members can see all users and groups without restrictions as the internal groups mode.

Every user who is not assigned to an extranet space will be handled like an internal user by Space Privacy. And every user who is not assigned to an internal group may lose all visibility, even if they actually are an internal colleague.

That's why you should always use internal groups to actually mark the internal users and make sure that they can see each other!

Furthermore, in combination with this setting, you should restrict all visibility, too. That's how you ensure most safety within your system.

This page was last edited on 01/19/2024.