Document Control DocumentationRevision: 2022-07-18
You can install Document Control for Confluence Cloud from the Atlassian Marketplace. Click the "Try it free" button to get started.
Once the add-on is installed, expand the Document Control for Confluence Cloud add-on in the Universal Plugin Manager and click "Configure".
The "Get started" page helps you with considering the configuration options.
The configuration page provides these settings:
Authentication requires users to authenticate using their Confluence login before signing a page. (If your intent is to comply with 21 CFR 11, you should enable this setting.) If your approval flow is lightweight, you can disable this setting and allow users to review/approve a document with a click.
Document Control supports authentication with a secret key provided by Atlassian (API Key) and through a 2FA (two-factor authentication) process using an authenticator app. Using an authenticator app requires a setup process by each user in order to connect the authenticator app with Document Control. Users can reset their 2FA setup using an Atlassian API Key. The confluence administrator can enable and disable the authentication methods separately.
21 CFR 11 requires the signer to authenticate for each signature. Bulk signatures, i.e. a single electronic signature for multiple documents, are not conformant. Document Control offers both two-factor authentication and authentication using a secret key. Please contact us if you need additional authentication methods.
The "require signatures to match pages" ensures that signatures match the page where they were applied to. Troubleshooting / Page copying describes the usage of this setting when moving data to a new Confluence instance.
Signature settings groups configuration settings related to signature meanings.
The Meanings settings allow the configuration of meanings associated with each signature added to a controlled document. You can customize the available Meaning options (the default options are based on the language of 21 CFR §11.50), or disable Meanings entirely. Optionally you can define up to ten custom signature meaning types.
Once you have configured the meanings, these meanings show up during the signing flow and allow a signer to indicate the signature meaning.
Notification: The Email notification setting will trigger automatic emails to reviewers whenever they are added to a page.
Restrictions: The restrictions settings allows to restrict editing, signing, and changing reviewers on a page. Restrictions will only be applied to a page after reviewers are updated.
Document Control can only adjust the restrictions if the user "Electronic Signing for Confluence Cloud" has the permissions to add/delete restrictions in the space. If the user "Electronic Signing for Confluence Cloud" does not have these permissions, the setting has no effect.
Timestamp display: You can choose to display signature timestamps in either the ISO 8601 format (e.g. 2021-04-26T10:15:41Z), or in a US date format. The US format shows the abbreviated month and full weekday (e.g. Monday, Apr 26, 2021, 06:15 AM EDT). This display format prevents possible confusion about dates like 03/04/2021 in international settings.
The timezone for display of the timestamp can be set to either UTC or an IANA Time Zone Database listed time zone.
These settings are described at Automation and webhook events.
A controlled document can be a page in a space. When you create a new controlled document in a restricted space or document, make sure the user "Electronic Signing for Confluence Cloud" has permissions on the new page. If you are creating a new page from scratch, the best practice is to choose the "Controlled document" template from the Create dialog:
This template sets up the page with everything needed for use with the Document Control add-on.
If you want to use a different template, or if you want to take an existing page and convert it to a controlled document, it's a simple two-step process:
1. Add the "Document Control" macro somewhere in the body of the page (typically at the bottom):
2. Add the "controlled-document" label to the page:
There are two ways to add reviewers to a page:
1. Click the Document Control byline on the page (the link under the page title)
2. From the page menu (the three-dot icon with links to Move, Copy, Delete, etc.), click "Manage Reviewers".
Once the "Manage Reviewers" dialog is open, you can add a reviewer to a page by searching by name.
You can also use this dialog to remove a reviewer by clicking the small "x" next to each reviewer's name.
If you have the Email notification setting enabled, the new reviewer will receive an email inviting them to review the page:
The page's document control status will change to Needs Review until all reviewers have added a signature to the page.
From the page menu, click "Add Signature":
Fill out the form and click Submit to sign the page.
If the Authentication setting is enabled, the user is required to authenticate with Document Control with one of the following methods:
API key: When using API key authentication, a user needs to generate a secure token once by using the Atlassian provided secure token management page at the Atlassian API token page. The token is unique to each user, and can be revoked on demand. If the email and the secure token do not match, an error message is shown under the email and token fields to indicate a problem:
The email for the signature must be the email address used for Confluence login. You can find your login email at your Atlassian profile page.
2FA: For 2FA authentication, a user needs to install and pair an authenticator app. Compatible apps are:
The 2FA codes are unique to each user, and can be revoked on demand using a user-specific API token. When signing, the signature dialog ask you to enter a 6 digit code called 2FA token. This token is generated by your authenticator app. The token is refreshed regularly. If the token does not match, an error message is shown to indicate a problem:
All pages set up for document control will have one of three statuses:
The document control status is reflected in the byline (the link under the page title) of each page. It's also reflected in the Document Control macro. For example, in the following screenshot, Jason Wright and Lucille Bluth have been assigned as reviewers, but only Lucille Bluth has signed:
Once Jason Wright signs the page, the page looks like this:
If the page is edited, all reviewers will need to sign the page again to maintain the "Reviewed" status; see Page versioning for more details.
To see the document control status of all pages in a space at a glance, you can use the "Space View" setting of the Document Control macro. Typically, you might want to add the macro to the top-level page in a space. To do this, start editing a page. Then choose from the menu "+" and "View more" to insert the Document Control macro. Choose the "Space View" setting:
You can use the shortcut "/dccc" to insert the Document Control macro. Below you can see an example of the macro with "Space View" setting.
You can access the Document Control general page directly from the top menu. This page provides links to the documentation and signature authentication setup if enabled.
Document Control can add a label to a document if the review status changes. On the configuration page, you need to check the option "Use a label as a flag when document state changes."
When Document Control detects a change in the document review status, it will add a label to the document. The label acts like a flag. The default label is "dc-review-change". Adding a label generates a webhook event if you have set up a webhook listener. For example, ScriptRunner by Adaptavist lets you listen to such events and run automatic actions in response to such an event.
Once you have received the webhook event, you should remove the label from the document with your automation tool. If the label is not removed, subsequent changes to the document review state will not add a new label.
Once you have received a webhook event, you can check the document review status and run an automation with e.g. ScriptRunner. The document review status can be queried by checking the content property "dccc-byline" of the document. The value of the content property contains the property "documentStatus" with these possible values:
"not-reviewed" A document is in this state if no reviewers are added to the document."needs-review" If a document has reviewers, and not all reviewers have signed, a document is in this state."reviewed" Once all reviewers have signed, a document is in the "reviewed" state."dccc-byline" returns a JSON object containing:
{
...
"documentStatus": {
"value": "not-reviewed"
},
...
}
In addition to listening to webhook events, you can check for the presence of the label "dc-review-change" on a regular schedule with e.g. a cron expression.
After adding a reviewer or a signature to a document, Document Control updates the content property "dccc-state". This content property encodes the current document state. You can read this property and get information on reviewers, signatures, and document state. You should not modify this content property, as Document Control will rewrite the content property regularly.
Querying the content property "dccc-state" returns a JSON object. The example JSON object below contains comments (after //) explaining the field just before the comment. If you write code using the Document Control State, please check the field "stateFormatVersion". If this version is incremented, the format has changed.
{
...
"value": {
"example": false,
"stateFormatVersion": 2,
"status": {
"name": {
"value": "Reviewed"
},
"documentStatus": {
"value": "reviewed"
}
},
"documentVersion": 7, // The Confluence assigned document version.
"documentDt": "2021-06-28T14:26:03.593Z", // The timestamp of the last document edit.
"documentId": "123456789", // The Confluence Id of the document.
"lastMeaning": "Review", // The meaning of the last signature (if a meaning was given).
"lastSigDt": "2021-06-28T14:26:22.700Z", // The timestamp of the last signature.
"reviewersVersion": 5, // The version of the reviewers.
"signaturesVersion": 2, // The version of the signatures.
"signatures": [ // A list of signatures applied to the document in reverse chronological order.
{
"most_recent": true, // A property which is "true" if the signature was applied to the most recent document version.
"version_known": true,
"documentVersion": 7, // The document version the signature was applied to.
"accountId": "XXXXXXXXXXXXXX", // The identifier of the user who signed.
"timestamp": "2021-06-28T14:26:22.700Z", // The timestamp of the signature.
"comment": "signature comment", // Signature comment, if present.
"signature_version": 2,
"meaning": "Review", // The meaning of the signature (if a meaning was given).
"name": "Jane Example", // The name of the signer.
"documentId": "123456789", // The Confluence Id of the document to which the signature was applied.
"documentDt": "2021-06-28T14:26:03.593Z" // The timestamp of the last document edit.
},
{ // Another signature, it was applied to a previous document version.
"most_recent": false,
"version_known": true,
"documentVersion": 6,
"accountId": "XXXXXXXXXXXXXX",
"timestamp": "2021-06-28T13:23:43.983Z",
"comment": "old signature",
"signature_version": 2,
"meaning": "Other",
"name": "John Example"
}
],
"reviewers": [ // List of reviewers for the current document.
{
"accountId": "XXXXXXXXXXXXXX", // The identifier of the reviewer.
"name": "Jane Example", // The name of the reviewer.
"pic": "https://XXXX.atlassian.net/wiki/aa-avatar/XXXXXXXXXXXXXX", // Link to the avatar image of the reviewer.
"signed": true, // "true" if the reviewer signed the last document version, "false" if not.
"reviewerFormatVersion": 2
}
]
}
...
The "status" field describes the current document status as described above about the "dccc-byline" field.
The "signatures" list contains the most recent signatures with a limit of up to 50 signatures. The "reviewers" list contains the current document reviewers. If no signatures or reviewers are present, these lists will be empty.
The Document Control State content property is available from 2021-07-01. Documents produced before this date will not have a "dccc-state" content property. If a signature and/or reviewer is added to an older document, the "dccc-state" will be added with the information available. Documents produced before 2021-07-01 might not contain all information documented above. The content property might contain additional fields not documented here.
If you have view/edit restrictions enforced either on a space or a page and wish to use the Document Control add-on, you'll need to ensure that the add-on user has both view and edit privileges (the add-on user is "Electronic Signing for Confluence Cloud"). For example, click "Restrictions" from the page menu:
Add the "Electronic Signing for Confluence Cloud" user:
The Document Control add-on uses Confluence's built-in versioning system to ensure that signatures are linked to a specific version of a page. For example, if a page has been signed by all reviewers, but is then edited, the Document Control macro will show that those signatures were for previous versions of the page:
You can click the link in the macro to see the full version history of the page:
Note: Restoring a page to a previous version does not resolve the need to re-sign the page. This is because Confluence actually creates a new version that duplicates the restored version.
As an option you can restrict signature visibility to show only signatures for the current document version. In order to apply this setting you need to edit the document (and thus create a new document version in this process). To change the setting you need to edit the Document Control Macro and check the checkbox "Show signatures applied to the most recent document version only."
After checking the checkbox, only the most recent signatures are visible:
If you later to decide to unchecked the checkbox, the earlier signatures will be visible again. Please note that this change also creates a new document version.
The Document Control add-on stores information in each page's content properties. This is essentially a form of metadata stored in the page without being directly visible in the page's body.
The way Confluence handles content properties:
As a result, copies of controlled documents will not preserve signatures or reviewers. You should make sure to keep the original page intact and move it around your Confluence instance instead of making copies.
If you move a space containing signatures to another Confluence instance, it is necessary to disable the setting "require signatures to match pages", because the move to another Confluence instance automatically results in changes to the pages and content properties. You should add a new signature to each page, e.g. with a custom meaning of "document/space import approved", and then enable the setting again.
If you use SAML single sign-on to authenticate with Confluence, it's highly likely that the Authentication setting will not work. Your users need to have an Atlassian account and password for the add-on's authentication process to work.
The Document Control add-on helps with review and 21 CFR 11 compliant document signing on Confluence Cloud, including the ability to ensure that all signatures are authenticated at the time of signature. All transactions with Confluence Cloud are secured using Atlassian Connect Express / JWT. Data transport is secured using TLS (Transport Layer Security).
The add-on server stores your configuration settings. It does not store any data from your Confluence instance, including users, pages, reviewers, signatures, or anything else. All of the data generated by the add-on is stored in your Confluence instance, not the add-on server. As a user of Document Control, it is your responsibility to keep Confluence backups. These backups will allow you to restore lost documents and signatures. As we do not store your Confluence data, we do not have backups of those and can't restore lost documents and/or signatures.
If you opt in to secondary authentication (2FA), Document Control stores an identifier and cryptographic information to secure the secondary authentication process. By not opting in to secondary authentication, no secondary authentication data will be processed or stored.
The add-on is not certified by any authority. 21 CFR 11 compliance is a complex process, and this add-on is merely a small part. Full compliance will depend on Confluence settings, user management, and other operational processes.
The add-on server, which stores your configuration settings, is automatically backed up by Heroku. In addition we keep offsite backups for disaster recovery. These backups do not contain your data from your Confluence instance.
All transactions are secured using HTTPS/JWT. Because no personal data is stored, there is no long-term privacy risk to using this add-on.
The add-on will request email addresses for your users if and only if you enable the "Send email notification to new reviewers" option in the add-on configuration. Email addresses are only used to send one-time notifications to those users who are added as reviewers for a page. Email address are not stored in the add-on, shared, or used for any other purpose.
Secondary authentication (2FA) is based on TOTP.
We keep logs in order to audit for possible security incidents and other errors.
| Component | Description |
|---|---|
| Confluence Cloud ("Confluence") | See Atlassian documentation. |
| Document Control for Confluence Cloud ("Add-on") | A Confluence add-on providing a technical solution for document review and electronic signing. |
| Requirement | Topic | Confluence | Add-on | Organization |
|---|---|---|---|---|
| §11.10(a) | Validation of systems | The organization is responsible for validating their Confluence installation and the add-on. | ||
| §11.10(b) | Record generation | Confluence has the ability to export documents in PDF or Word format. | The add-on's macros will appear in exported records. | The organization is responsible for keeping an immutable record (for example using a document management system). |
| §11.10(c) | Protection of records | Confluence provides the ability to backup or transfer pages. | The add-on stores all data within Confluence pages. | The organization is responsible for archiving, long term storage, and backups. Pages in Confluence can be modified and deleted, and Confluence is not an archival system. |
| §11.10(d) | Limiting system access | Confluence provides the ability to manage users and groups, and to restrict privileges to particular users or content. | The organization is responsible for managing access. | |
| §11.10(e) | Audit trails | Confluence keeps changes in a timestamped, secure audit log. When a page is modified, the old version of the page is preserved in the audit log. | The add-on links signatures to particular versions of a page, which will be reflected in the audit log. Signatures for older versions are preserved and visible via the Document Control macro. | |
| §11.10(f) | Sequencing | The add-on ensures all steps happen in the proper order. | ||
| §11.10(g) | Authority checks | See Confluence Cloud data security policies. | The add-on is only available to authenticated Confluence users, and can be configured to require additional authentication at time of signing. | |
| §11.10(h) | Validity | The organization should ensure this for all devices that use Confluence/the add-on. | ||
| §11.10(i) | Education and training | The organization should ensure that all users are properly educated, trained, and experienced. | ||
| §11.10(j) | Written policies | The organization should write and distribute policies related to electronic signatures. | ||
| §11.10(k) | Controls documentation | The organization is responsible for maintaining controls documentation. | ||
| §11.50(a) | Signature manifestations | The add-on ensures that signatures include the printed name of the signer and the data and time when the signature was executed. The add-on can be configured to include a signature meaning. | ||
| §11.50(b) | Signature records | The add-on ensures signature manifestations are part of the electronic record by storing them within the Confluence page. | The organization is responsible for keeping an immutable record (for example using a document management system). | |
| §11.70 | Signature/record linking | The add-on does not move signatures between records, and copied records do not retain electronic signatures. See Page copying for more detail. |
| Requirement | Summary | Confluence | Add-on | Organization |
|---|---|---|---|---|
| §11.100(a) | Uniqueness | The add-on ensures electronic signatures are unique to one Confluence account. | The organization should ensure that Confluence accounts are unique to one individual, and that Confluence accounts shall not be resued by, or reassigned to, anyone else. | |
| §11.100(b) | Identify verification | The organization should verify the identity of individuals before assigning a Confluence account. | ||
| §11.100(c) | Agency certification | The organization should certify their use of electronic signatures in writing as per §11.100(c), and persons within the organization should provide any additional certification or testimony as required. | ||
| §11.200(a)(1) | Identification components | The add-on can be configured to require users to provide their email address (i.e. identification code) and a secure token before signing. | The organization should enable authentication for all signatures in the add-on's configuration. | |
| §11.200(a)(1)(i) | Single session | The add-on can be configured to require authentication for all signatures. | The organization should enable authentication for all signatures in the add-on's configuration. | |
| §11.200(a)(1)(ii) | Multiple sessions | The add-on can be configured to require authentication for all signatures. | The organization should enable authentication for all signatures in the add-on's configuration. | |
| §11.200(a)(2) | Genuine owners | The add-on can be configured to require authentication for all signatures. | The organization should ensure authentication information for Confluence accounts is only known, or can only be used, by the account's genuine owners. | |
| §11.200(a)(3) | Unauthorized attempts | The organization should take steps to ensure that use of an individual's Confluence account by anyone other than its genuine owner requires collaboration of two or more individuals. | ||
| §11.300 | Controls for identification codes/passwords | The organization is responsible for maintaining controls for Confluence authentication information. |