Tools & Technologies

Preventing Privacy Breaches or Constraining Collaboration: The Internal / External Sharing Decision in IBM Connections Next


One of the most eagerly anticipated capabilities for the next version of IBM Connections – due to be released on May 21 – is integrated support for external collaboration. This means that non-employees (non-licensed users) of a firm can be given access to Connections and the content inside. There are clear visual indicators inside Connections when content is being shared outside the firm.

Here’s my concern: if IBM takes the same approach with the next version of Connections on-premise as they do currently with the SmartCloud edition, the external collaboration option is too constrained. You have choose at the point of community or content creation whether that community or content item will ever be sharable with external parties. Unless you choose the sharing option at the point of creation, it can never be opened to external parties. (You can choose sharing at the start and then revert to internal only, but not the other way around. And once you have reverted from external to internal, there’s no going back. It’s a one-way street.)

Here’s how it works in SmartCloud Connections:
– For a community, Open and Moderated communities can never be shared with external people. Only a Restricted community can be shared, and it must be designated as such from the point of creation. A restricted community by design is the most secure; it is invisible to anyone who has not been invited to join.
– When creating (using IBM Docs) or uploading a new document into Files, you must choose at the point of creation whether the document will ever be sharable with an external person. If you don’t tick the box to say it can be shared, you can never share it. The decision is irrevocable.
– When creating a new Activity, you have to say if the Activity can be shared with external people. Again, if you say “no” to external sharing when creating the Activity, it is irrevocable.

I think this design line is too hard, although perhaps the Connections team is taking the most conservative approach as a starting position, and will revise the design line once they have more experience with this feature in the market.

I would like to see:

1. The owner of a community or file (or other artifact) having the right to say if it could be shared externally, but not to have to make that decision at creation. It should be changeable over time, and not a one-time decision that has irrevocable implications.

2. The ability to transition from internal only to external sharing, and vice versa. I think Connections customers will want the ability to get a file, community, activity (or other thing) set up before inviting a customer to join, but be able to limit when customers can join.

3. A visual indicator saying that an external community or file is able to be shared with external users, and whether there are any external users at the moment or not.

4. Open and Moderated communities that are sharable with external people. This would allow an external customer to have access into communities beyond those they have been specifically invited to. An organization could set up a number of communities for external people, and not have to invite external people specifically to each one. However, having said that, there are data privacy and confidentiality issues with this, and perhaps even more so, licensing issues. If customers can see the content in Open and Moderated communities, then information that might be private and confidential could be discovered by search (although this would only apply to those communities that were shared, not every community). This would be bad. And if external customers could get into Open and Moderated communities, perhaps IBM would be giving away free licenses that it should be charging for. Maybe having these not able to be shared is the right decision, at least when there are only two classes of users: internally licensed and externally unlicensed.

5. If an Open or Moderated community could be shared with an external person – by ticking the checkbox to say it was sharable – then it is an opt-in data sharing model. Open and Moderated communities that are not shared with external people will not be viewable by external people; they will be hidden from external users, thus not raising any privacy and confidentiality issues.

What do you think? Is the hard design line too hard, or am I taking too hard a line on it? Do you have plans to use external communities in your work?

Categories: Tools & Technologies