Collaborators accidentally added able to see private project

I have a question - we have one project that is not only marked as private, it only has 4 members. Someone accidentally added an external person’s email to a task as a collaborator and they were able to see EVERYTHING on that task, although they were not able to see the rest of the project. This is of huge concern. Are we doing something wrong? Is there a way to disable the ability to add collaborators that are NOT part of the project?

Thank you.

Hi @Federica_Fiore,

If that external person was put on the task as a collaborator (correctly or incorrectly), then it makes sense that they would have access to everything on that task, right? (In order to collaborate/work on a task, you need to see what you’re working on.)

Unfortunately not. Having the project be private makes it pretty inaccessible to others, but explicitly adding someone as a collaborator on a specific task is I think the one way to override that privacy, for that one task only.

The only thing I know of to prevent that is in an Enterprise-level Asana subscription, there is an Admin option to block normal users from being able to include guests in an organization.

I looked for a thread in the Product Feedback forum section for something like “Have the option to disable task collaborators who are not project members” but couldn’t find anything like that - so you might want to create such a thread in that section, so people can vote for it if they agree it’s needed.

3 Likes

Thanks that makes sense. The main issue is that, while you can see team members right at the top to see who has access to the project, the admin would have to check every task to see if someone was accidentally or maliciously added. Plus, no notifications are sent. It’s just a bit counterintuitive but I appreciate the confirmation.

@Phil_Seeman do you know if with this Enterprise option it also prevents users from adding guests at a task level? I believe that theoretically a guest could be added to every task of a project but still not be seen as a guest on the license as they wouldn’t be considered a “project member”. I don’t think they would even know what project the task is associated as being a collaborator doesn’t give you all the visibility you might need in all cases. I think that is correct but you might have to confirm. If correct, it still doesn’t solve for the inability to limit who can add a collaborator. :disappointed:

What might be a worthwhile #productfeedback feedback is the ability to perform an advanced search to see all collaborators on a project that are not project members. This would at least make for a handy Saved Search that one could audit frequently to make sure there weren’t any users collaborating on tasks that shouldn’t.

That’s an excellent question. I didn’t know for sure, so I just tested. It’s good news - it does prevent even adding a guest as a collaborator on one task!

I tested this as well. Again good news - even a guest added or invited just as a collaborator on one task does show in the Admin Console under “Members”.

It sure does not - I think @Federica_Fiore has raised a valid concern.

This would be nice to have. Or… @Bastien_Siebman, you could probably write this as a utility in your brilliant set of tools! (The “minimalist work Guest Security Analyzer” :smiley:)

3 Likes

@Phil_Seeman you are the real MVP! Thanks for the extra testing to confirm. I didn’t realize Enterprise offered that level of control. Very nice!

Thank you!!! :pray:

1 Like

That would be a tough one as you need to go through all projects and all tasks :sweat_smile:

Indeed. Probably would not be able to be a real-time UI display but more of a “we’ll email you with your results once they’re ready” kind of thing.

as @Phil_Seeman pointed out, you can still see collaborators under “Members” - this is a viable solution for those companies who cannot afford the enterprise seats but still want to be able to see everyone, part of a private project or not, that are “participating” in the content. This is easy to do for the smallest of teams that have no cross-over projects, but might be hard to track for larger teams, or teams in which a person is part of a project, but not another. In other words, this trick can only detect complete strangers accidentally added as collabs :stuck_out_tongue:

1 Like

This topic was automatically closed after 4 days. New replies are no longer allowed.