Skip to content

Document v11.8.0 membership policies, recommended channels, leave confirmation, and policy simulation #9036

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Combs7th wants to merge 3 commits into
base: v11.8-documentation
Choose a base branch
from
Open

Document v11.8.0 membership policies, recommended channels, leave confirmation, and policy simulation #9036

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ea7ca0d
Remove CJK search feature flag mention now that it defaults to true (…
lieut-data Jun 12, 2026
d6d3dd0
Document v11.8.0 membership policies, recommended channels, leave con…
github-actions[bot] Jun 13, 2026
620c38c
Removing uninteded commits
Combs7th Jun 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion source/administration-guide/configure/enabling-chinese-japanese-korean-search.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@ Chinese, Japanese and Korean search

.. attention::

Starting on Mattermost v11.5, searching for Chinese, Japanese or Korean (CJK) characters can be enabled with the `feature flag <https://developers.mattermost.com/contribute/more-info/server/feature-flags/#changing-feature-flag-values>`_ ``MM_FEATUREFLAGS_CJKSEARCH``.
Starting in Mattermost v11.9, CJK post search is enabled by default on PostgreSQL.
In Mattermost v11.5 through v11.8, enable the `feature flag <https://developers.mattermost.com/contribute/more-info/server/feature-flags/#changing-feature-flag-values>`_ ``MM_FEATUREFLAGS_CJKSEARCH``.

The general recommendation of `using either Elasticsearch or Opensearch once the server reaches 2.5 million posts <https://docs.mattermost.com/administration-guide/scale/enterprise-search.html#do-i-need-to-use-elasticsearch-or-aws-opensearch>`_ still applies.

Expand Down
32 changes: 31 additions & 1 deletion source/administration-guide/manage/admin/abac-channel-access-rules.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Prerequisites

- :doc:`Attribute-Based Access Control (ABAC) </administration-guide/manage/admin/attribute-based-access-control>` must be enabled by a System Admin in **System Console > System Attributes > Attribute-Based Access**.
- You need Channel Admin permissions and the ``manage_channel_access_rules`` permission.
- Channel access rules are available only for private channels.
- Self-service channel access rules in the **Access Control** tab in Channel Settings are configured for private channels. Membership policies apply to both public and private channels, with different behavior by channel type. See :ref:`Public and private channel behavior <administration-guide/manage/admin/abac-channel-access-rules:public and private channel behavior>`.

Access Channel Settings
~~~~~~~~~~~~~~~~~~~~~~~~
Expand Down Expand Up @@ -86,6 +86,36 @@ When you save changes that affect membership, a confirmation dialog shows you:
- Option to view the specific users affected
- Confirmation required before applying changes

Public and private channel behavior
-----------------------------------

Membership policies behave differently depending on the type of channel they're applied to:

- **Private channels**: Membership policies are enforced. Users who match the policy's rules are added, and users who don't match the rules are removed during synchronization.
- **Public channels**: Membership policies are advisory. Matching users may be automatically added when auto-add is enabled, but non-matching members are not removed.
- When auto-add is disabled for a public channel, matching channels are surfaced as **recommended** rather than enforcing membership.
- Direct messages and group messages aren't eligible for membership policies.
- Default channels such as **Town Square** and **Off-Topic** are excluded.

.. note::

Public channels with membership policies may appear in **Browse Channels** under **Recommended**, and matching users may be marked **Recommended** in the channel invite flow. See :doc:`Browse channels </end-user-guide/collaborate/browse-channels>` and :doc:`Manage channel members </end-user-guide/collaborate/manage-channel-members>` for the end-user experience.

Channel-level permission policies
---------------------------------

From Mattermost v11.8.0, admins can define channel-level permission rules for file upload and file download based on user attributes and channel role. Applicable roles include **channel admin**, **channel member**, and **channel guest**.

For system-wide permission policies that restrict file upload and download actions, see :ref:`Permission policies <administration-guide/manage/admin/abac-system-wide-policies:permission policies>`.

Simulate access
----------------

From Mattermost v11.8.0, admins can use **Simulate access** in Channel Settings to preview whether selected users can perform actions such as joining a channel, uploading files, or downloading files before saving policy changes.

- Simulation can evaluate draft rules before they're saved, so you can confirm the intended scope without affecting live channel access.
- Some denied results may indicate that the decision came from another policy. In that case, Mattermost shows that access was denied by another policy without exposing policy details you aren't authorized to see.

Manage team-scoped membership policies in Team Settings
-------------------------------------------------------

Expand Down
14 changes: 12 additions & 2 deletions source/administration-guide/manage/admin/abac-system-wide-policies.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,11 +62,21 @@ You can add multiple rules to a single policy, and each rule can include multipl

Select the **Validate syntax** bar to check the syntax of your rule. If the syntax is valid, the bar will turn green and display a message indicating that the syntax is valid. If there are any issues, the bar will turn red and display an error message.

Test rules
~~~~~~~~~~
Simulate access
~~~~~~~~~~~~~~~~

Select **Test access rule** to test the rule against your user base to return how many users would be granted access to the channel based on the current rule. Test your rules to ensure the intended scope and avoid unexpected access changes.

From Mattermost v11.8.0, you can use **Simulate access** to preview allowed and denied outcomes for specific users before saving policy changes:

1. Open the policy editor in the System Console.
2. Select **Simulate access**.
3. Choose the users you want to test.
4. Review the allowed and denied outcomes by action, such as joining a channel or uploading and downloading files.
5. Adjust the rules before saving.

Simulation can test draft policy changes before they affect live channel access or file permissions. Detailed rule and attribute information is shown only when the denial comes from the policy or scope you're editing; otherwise, Mattermost may show that access was denied by another policy.
Comment on lines +65 to +78

@coderabbitai coderabbitai Bot Jun 13, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Rewrite the lead-in to match Simulate access.

The opening sentence still talks about testing against the whole user base and counting granted users, which no longer matches the per-user pre-save simulation described below. Readers will get two different mental models for the same feature.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@source/administration-guide/manage/admin/abac-system-wide-policies.rst`
around lines 65 - 78, The lead-in still describes testing a rule against the
whole user base and counting granted users; update that opening paragraph (the
line that starts "Select **Test access rule** to test the rule against your user
base to return how many users would be granted access...") to instead describe
the "Simulate access" feature as a per-user, pre-save simulation that previews
allowed and denied outcomes for selected users in the policy editor of the
System Console; keep references to "Select Test access rule" and "Simulate
access" and briefly note it previews per-user allow/deny outcomes before saving
rather than returning a user count.


Manage rules
~~~~~~~~~~~~

Expand Down
5 changes: 4 additions & 1 deletion source/administration-guide/manage/admin/attribute-based-access-control.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,11 +40,14 @@ Configure access policies

Once enabled, you have multiple ways to configure access policies in Mattermost:

From Mattermost v11.8.0, admins can configure membership policies for both public and private channels, permission policies for file upload and file download, and simulate policy outcomes before saving.

**System Admins can:**

- Create :doc:`system-wide access policies </administration-guide/manage/admin/abac-system-wide-policies>` that can be assigned across multiple channels in the System Console.
- Create :doc:`system-wide access policies </administration-guide/manage/admin/abac-system-wide-policies>` that can be assigned across multiple channels in the System Console. Membership policies can be applied to both public and private channels, with :ref:`advisory behavior on public channels <administration-guide/manage/admin/abac-channel-access-rules:public and private channel behavior>`.
- Assign :ref:`individual channel policies <administration-guide/manage/admin/abac-system-wide-policies:define access controls per channel>` to specific channels in the System Console.
- Define :ref:`permission policies <administration-guide/manage/admin/abac-system-wide-policies:permission policies>` that restrict actions such as file upload and file download based on user attributes.
- :ref:`Simulate policy outcomes <administration-guide/manage/admin/abac-system-wide-policies:simulate access>` to preview whether selected users can perform actions such as joining a channel or uploading and downloading files before saving policy changes.

**Team Admins can:**

Expand Down
4 changes: 4 additions & 0 deletions source/end-user-guide/collaborate/browse-channels.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ Browse channels

From Mattermost v9.1, you can filter the list of channels by public, private, or archived channels, and you can hide all channels you're already a member of.

.. note::

From Mattermost v11.8.0, if your organization uses membership policies, **Browse Channels** may include a **Recommended** filter. Recommended channels are public channels your attributes match. You can still browse and join public channels according to your organization's normal channel permissions.

.. tab:: Mobile

1. Tap the **Plus** |plus| icon located in the top right corner of the app.
Expand Down
12 changes: 11 additions & 1 deletion source/end-user-guide/collaborate/join-leave-channels.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,4 +107,14 @@ When you leave a private channel, you must be re-added by another channel member

.. image:: ../../images/mobile-confirm-leave-a-channel.jpg
:alt: Tap on Leave to confirm your choice.
:scale: 30
:scale: 30

Leave a public channel added by a membership policy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From Mattermost v11.8.0, when you leave a public channel you were added to by a membership policy, Mattermost asks you to confirm:

- Choosing **Leave channel** removes you from the channel.
- Choosing **Mute instead** keeps you in the channel and mutes its notifications.

If the channel is already muted, Mattermost shows **Cancel** and **Leave channel** instead of **Mute instead**.
Comment on lines +112 to +120

@coderabbitai coderabbitai Bot Jun 13, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Mention the recommendation side-effect.

The leave-confirmation text explains Leave channel vs Mute instead, but it doesn't tell users that leaving can also remove the channel from Recommended. That missing context is why the mute option exists for policy-added public channels.

✏️ Suggested addition 
 From Mattermost v11.8.0, when you leave a public channel you were added to by a membership policy, Mattermost asks you to confirm:
 - Choosing **Leave channel** removes you from the channel.
 - Choosing **Mute instead** keeps you in the channel and mutes its notifications.
+- Leaving may also remove the channel from **Recommended** results tied to the policy.

Based on the PR objective, this flow should also tell users that leaving may remove the channel from Recommended.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
Leave a public channel added by a membership policy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Mattermost v11.8.0, when you leave a public channel you were added to by a membership policy, Mattermost asks you to confirm:
- Choosing **Leave channel** removes you from the channel.
- Choosing **Mute instead** keeps you in the channel and mutes its notifications.
If the channel is already muted, Mattermost shows **Cancel** and **Leave channel** instead of **Mute instead**.
Leave a public channel added by a membership policy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Mattermost v11.8.0, when you leave a public channel you were added to by a membership policy, Mattermost asks you to confirm:
- Choosing **Leave channel** removes you from the channel.
- Choosing **Mute instead** keeps you in the channel and mutes its notifications.
- Leaving may also remove the channel from **Recommended** results tied to the policy.
If the channel is already muted, Mattermost shows **Cancel** and **Leave channel** instead of **Mute instead**.
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@source/end-user-guide/collaborate/join-leave-channels.rst` around lines 112 -
120, Update the "Leave a public channel added by a membership policy" paragraph:
after the sentences that explain the difference between the "Leave channel" and
"Mute instead" choices, add a concise sentence stating that choosing "Leave
channel" may also remove the channel from Recommended while choosing "Mute
instead" keeps you in the channel (and preserves its Recommended status);
reference the existing phrases "Leave channel" and "Mute instead" so the new
sentence is placed with those explanations.

5 changes: 4 additions & 1 deletion source/end-user-guide/collaborate/manage-channel-members.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,10 @@ Add members to a channel

Any member of a channel can add other members to public or private channels, unless your system admin has restricted access to do so.

When a channel has :doc:`attribute-based access controls </administration-guide/manage/admin/attribute-based-access-control>` enabled, you'll see details about which user attributes are permitted access to the channel. Only users who meet the requirements appear in search results when adding members to that channel.
When a channel has :doc:`attribute-based access controls </administration-guide/manage/admin/attribute-based-access-control>` enabled, you'll see details about which user attributes are permitted access to the channel. Behavior when adding members depends on the channel type:

- **Private channels with membership policies**: Only users who meet the policy requirements are available to add.
- **Public channels with membership policies**: Users who match the policy may be shown with a **Recommended** tag, but the invite list isn't restricted by the policy.

.. tab:: Web/Desktop

Expand Down
Loading