Create of projects / portfolios by guests

Hi, everyone,
I read and learned here, but this is my first post! :slight_smile:

Maybe I’m missing something, and I’d love to hear people’s opinions here.

As a new Asana user, coming from the world of data security - this seems to me to be a real problem waiting to happen, when it is not possible to block a guest create a projects, and basically riding on the organization’s domain.

The problem - a guest can create a private projects when the organization has no control over them at all, for all the legal significance of this.

Also, a guest can create portfolios, reports and goals - and there is no way to disable this.

(By the way, as you know the advanced tier has a limit of 20 portfolios.
If a guest creates a portfolios - even if the guest is removed from the organization - the portfolios still takes up slot.
I checked! :roll_eyes:)

In the enterprise tier it is possible to block sharing by a guest, which is already something.

But it would be worthwhile at least in the enterprise tiers (which adds control and permissions) - to be able to block the create projects or portfolios, reports and goals by the guest.

(Of course, It would be useful to control this at the level of the specific guest, and not at the level of the entire organization)

Another thing - I saw that it is being talked about here, And that is very important in my opinion.
Since it is about business information - it would be desirable to give the super admin the ability to access private projects as well.

Thanks,
Dim

1 Like

Hi,

Can you clarify how allowing someone to create a project is a security threat?

1 Like

Hey Bastien,

The problem is not only security threat, but I will clarify :slight_smile:

I completely accept and understand the philosophy of Asana, in internal employees.

My starting point (and not only mine) in matters of security:
internal employees should be trusted, even at the cost of certain compromises in security - to enable efficient work flow.
But regarding guests and external users - the approach is the opposite, and the control of information should be tight.

One example of a security issue:
Guest creates a private project, with information pretending to be internal information - and shares it with another guest.
The other guest sees the company logo, and the verified internal work environment of the company, something that inspires trust - and the responsible parties will not even have a idea that this project exists.

Is it necessary to continue to explain what can be done with untrue internal information?

Of course, this can be solved by blocking sharing - but this is only available in the enterprise plan.

I’m sure if I try I’ll find more problems when sharing with a guest who can’t be trusted.

And that’s even before we talked about the very legal issue of using the company’s tools for things the companies not aware of, when it comes to external guests.
All you wanted to do was give them a snapshot of a project - and ooops, they now have Asana for what they want, in yours corporate environment.

In my opinion - we should know exactly what a guest can do, and have full control of his experience.

English is not my everyday language, so I hope it’s clearer now.

All clear, makes a lot of sense. I can think of at least 2 features existing in Enterprise: white listing guest domains, prevent guests from inviting other guests…

Perhaps a part of this issue, or a related issue is:

The combination of 1) Admin not allowed to see and delete private data, and 2) No way to preclude selected users (Guests, or a more specific subset of users) from creating private data, is likely a concern to any organization.

Like two-factor, some believe this should be standard in a SAAS app; it shouldn’t require the top-cost Enterprise plan.

Thanks,

Larry

Hey Larry,

You summed it up short and concise, thank you.
This combination is a bit disturbing.

By the way, even in the most expensive plan, there is still no good control over these points.

@Bastien_Siebman proposal provides a partial answer - only to the issue of sharing.

But maybe it’s just me - who is have a issue on control a data and security :slight_smile:

Thanks,
Dim

1 Like

Thanks Bastian,
I appreciate the thinking and desire to help!

As I said in the answer to Larry - it solves part of the problem, and it is definitely important.

But I feel like it’s a problem that doesn’t just bother me.

Seems like something that would have been worth some extra thinking by Asana - and I think Asana can solve this, at least in the enterprise plan.

Thanks again
Dim

1 Like