How Amazon Q Business connector crawls Confluence (Cloud) ACLs - Amazon Q Business

How Amazon Q Business connector crawls Confluence (Cloud) ACLs

Connectors support crawl ACL and identity information where applicable based on the data source. If you index documents without ACLs, all documents are considered public. Indexing documents with ACLs ensures data security.

Amazon Q Business supports crawling ACLs for document security by default. Turning off ACLs and identity crawling are no longer supported. In preparation for connecting Amazon Q Business applications to IAM Identity Center, enable ACL indexing and identity crawling for secure querying and re-sync your connector. Once you turn ACL and identity crawling on you won't be able to turn them off.

If you want to index documents without ACLs, ensure that the documents are marked as public in your data source.

When you connect an Confluence (Cloud) data source to Amazon Q Business, Amazon Q crawls ACL information attached to a document (user and group information) from your Confluence (Cloud) instance. If you choose to activate ACL crawling, the information can be used to filter chat responses to your end user's document access level.

You configure user and group access to spaces using the space permissions page. For pages and blogs, you use the restrictions page. For more information about space permissions, see Space Permissions Overview on the Confluence Support website. For more information about page and blog restrictions, see Page Restrictions on the Confluence Support website.

The group and user IDs are mapped as follows:

  • _group_ids – Group names are present on spaces, pages, and blogs where there are restrictions. They're mapped from the name of the group in Confluence. Group names are always lower case.

  • _user_id – User names are present on the space, page, or blog where there are restrictions. They're mapped depending on the type of Confluence instance that you are using.

  • For Confluence Cloud – The _user_id is the account ID of the user.


For user context filtering to work correctly for your Confluence connector, you need to make sure that the visibility of a user granted access to a Confluence page is set to Anyone. For more information, see Set your email visibility in Atlassian Developer Documentation.

For more information, see: