Create of projects / portfolios by guests

Hi, everyone,
I read and learned here, but this is my first post!

Maybe I’m missing something, and I’d love to hear people’s opinions here.

As a new Asana user, coming from the world of data security - this seems to me to be a real problem waiting to happen, when it is not possible to block a guest create a projects, and basically riding on the organization’s domain.

The problem - a guest can create a private projects when the organization has no control over them at all, for all the legal significance of this.

Also, a guest can create portfolios, reports and goals - and there is no way to disable this.

(By the way, as you know the advanced tier has a limit of 20 portfolios.
If a guest creates a portfolios - even if the guest is removed from the organization - the portfolios still takes up slot.
I checked! )

In the enterprise tier it is possible to block sharing by a guest, which is already something.

But it would be worthwhile at least in the enterprise tiers (which adds control and permissions) - to be able to block the create projects or portfolios, reports and goals by the guest.

(Of course, It would be useful to control this at the level of the specific guest, and not at the level of the entire organization)

Another thing - I saw that it is being talked about here, And that is very important in my opinion.
Since it is about business information - it would be desirable to give the super admin the ability to access private projects as well.

Thanks,
Dim

Hi,

Can you clarify how allowing someone to create a project is a security threat?

Hey Bastien,

The problem is not only security threat, but I will clarify

I completely accept and understand the philosophy of Asana, in internal employees.

My starting point (and not only mine) in matters of security:
internal employees should be trusted, even at the cost of certain compromises in security - to enable efficient work flow.
But regarding guests and external users - the approach is the opposite, and the control of information should be tight.

One example of a security issue:
Guest creates a private project, with information pretending to be internal information - and shares it with another guest.
The other guest sees the company logo, and the verified internal work environment of the company, something that inspires trust - and the responsible parties will not even have a idea that this project exists.

Is it necessary to continue to explain what can be done with untrue internal information?

Of course, this can be solved by blocking sharing - but this is only available in the enterprise plan.

I’m sure if I try I’ll find more problems when sharing with a guest who can’t be trusted.

And that’s even before we talked about the very legal issue of using the company’s tools for things the companies not aware of, when it comes to external guests.
All you wanted to do was give them a snapshot of a project - and ooops, they now have Asana for what they want, in yours corporate environment.

In my opinion - we should know exactly what a guest can do, and have full control of his experience.

English is not my everyday language, so I hope it’s clearer now.

All clear, makes a lot of sense. I can think of at least 2 features existing in Enterprise: white listing guest domains, prevent guests from inviting other guests…

Perhaps a part of this issue, or a related issue is:

The combination of 1) Admin not allowed to see and delete private data, and 2) No way to preclude selected users (Guests, or a more specific subset of users) from creating private data, is likely a concern to any organization.

Like two-factor, some believe this should be standard in a SAAS app; it shouldn’t require the top-cost Enterprise plan.

Thanks,

Larry

Hey Larry,

You summed it up short and concise, thank you.
This combination is a bit disturbing.

By the way, even in the most expensive plan, there is still no good control over these points.

@Bastien_Siebman proposal provides a partial answer - only to the issue of sharing.

But maybe it’s just me - who is have a issue on control a data and security

Thanks,
Dim

Thanks Bastian,
I appreciate the thinking and desire to help!

As I said in the answer to Larry - it solves part of the problem, and it is definitely important.

But I feel like it’s a problem that doesn’t just bother me.

Seems like something that would have been worth some extra thinking by Asana - and I think Asana can solve this, at least in the enterprise plan.

Thanks again
Dim

Hey,

It’s been a while since I uploaded the post, but unfortunately this is a point that is still issue for us when working with guests.

I’m trying to understand now - this is something that is part of Asana, and that’s it?
Even in the enterprise plans - won’t there be full control over the guests?

Or is this something they are considering solving?

I would really like someone from Asana to comment

Hello - I found this issue and I am having a similar problem. I have a client who is supposed to only have guest access to a single project. She is not particularly savvy and instead of creating new tasks, she is somehow creating projects for every request she has. She is mucking up my Asana workspace because I can’t delete these projects!

Is there any way I can prevent her from creating new projects for my team?

@lpb

I don’t know the Asana team here.
Can you help me tag and get someone’s attention from Asana?

Thanks a lot!

@Dim1,

Asana sees these posts, and I’ll reach out for you, but . . .

Forum threads are updated when there’s new information, but not otherwise, because of both the volume of threads and because Asana, like many products, doesn’t publish a roadmap.

Thanks,

Larry

Hi @Dim1, Emily here from the Asana community team thanks for sharing your feedback with us and apologies for the delay in sharing an update on this thread!

We don’t have immediate plans to launch the option to block guests from creating projects or portfolios. We are planning more powerful controls for Enterprise Admins and Super Admins and I will make sure to post an update in this thread as soon as I have more information and dates

Can you please clarify why only on Enterprise that feature could be an option? I am not even sure the costs os enterprise, but as it stands I have a team of 4 and I am paying for 5 seats to use updated features. This would solve a lot of our issues but I am not sure it would be worth the costs. I feel like if everyone has the ability to add guests why not give everyone the ability to set restrictions? This is a huge concern for my company because I’ve tried other programs where guests have completely messed up our system and workflows. We switched to asana thinking we would have this capability not realizing until after implementing that it’s only for enterprise users.

Hi

For some reason we don’t understand, clients (guests) are able to create new projects

We always invite clients to a project with the “comment” ability only

and for some reason, some clients could create dozens of new projects

how is that possible ??

also yesterday a client could duplicate one of our projects, causing a great confusion as all members of this projects received notifications that they were members of a new project (the duplicate one)

How is that possible ?

We would like clients not to be able to do anything else than comment the tasks on the project they have been invited too

Thanks for your help

@FirstV,

I’ve merged your post into an existing topic where you can click the title to scroll to the top and vote by clicking the purple Vote button.

Thanks,

Larry

hi

Im not sure to understand

we want guest NOT to be able to create projects

it seems this topic asks the opposite ?

or did i not understand well ?

thanks for your help

@FirstV, I think this is the same request as yours.

You are right thank you

Hi Emily

Please let us decide what guests can do otherwise it can become a real mess

We had clients (guests) who mistakenly created dozens of new projects just for testing and creating hundreds of tasks in them

it took us hours to clean the mess

Guests should not to be able to do anything else than comment the tasks on the project they have been invited too (as comment role)

Thanks for your help

Hi
Any news about this ? this is a very annoying issue
thank you