Integration Permissions

  1. Will the system store, process, or transmit:

  2. Any sensitive data that should not be released to the public

  3. PHI (Personal Health Information)

  4. PII (Personally Identifiable Information)

  5. CJI (Criminal Justice Info)

  6. Facial Recognition Data


  1. Does this system store, process, or transmit data through the Internet, Public Cloud, or OUTSIDE of my orgs IT infrastructure?

Hi @Sophia_Hosain,

The answers to these questions will be specific to each individual integration. You’ll need to query the creator of a particular integration for their answers to these questions.

I am looking for clarity on Outlook, Teams and Microsoft 365- is there one policy for microsoft integrations?

The Microsoft 365 integration is written by Microsoft, so you’d need to contact them for that info per this page.

The Outlook and Teams integrations are written by Asana, so they should be able to answer your questions on those apps. It’s unlikely anyone will have those answers in the forum; I would recommend contacting Asana support for that info.

1 Like

Hi Phil,

Is there a list that Asana provides that shows all possible scopes or permissions an app integration can ask for?

Such as the image below asking for permissions, is there a list showcasing all content capabilities and user capabilities without having to go one by one and see what each app is requesting?

Hi @Dan50,

Actually there are no scopes. When an app authenticates to a user’s Asana account, the app gains access to all Asana data which that account has access to. There’s no way to restrict beyond that as part of the auth process.

The message and bullet points you show in that dialog are a bit disingenuous IMO. It should more accurately say “you will give it permission to access any data within your Asana account” because that’s what you’re doing. Jira might argue, “But we’re only accessing the data that we list there, we’re ignoring everything else”, but that doesn’t change the fact that they COULD access everything else if they wanted to.

Thank you @Phil_Seeman, this was a very helpful explanation.

@Dan50, I do want to mention one clarification. Currently, when you authenticate to an Asana account per our discussion above, you gain access to ALL workspaces/organizations that account has access to.

One thing Asana is doing to reduce that scope is that, in the future, instead of authenticating to an entire Asana account, the user in granting access will be able to select ONE workspace/organization that they have access to, and your app will only be granted access to that one space. You still have access to everything within that space, but at least users who are members of multiple spaces will be able to grant app access to just one of them.

You can read more this upcoming change here and here.

1 Like

@Phil_Seeman Thank you. Do we know when this will be in effect?

Follow up questions:

  1. My understanding is that if we have a integration within a workspace, the safest permissions would have everyone in the workspace as a “Team Member” and no one as “Team Admin / Org / Super Admin”. The reason is because admins have more access in a workspace and if integrations technically have access to everything then the role type determines integration access. Therefore, having everyone as a basic team member status in the workspace is the safest option for adding the integration. Is this your understanding?

  2. Admin and Integrations
    If we set up a bot in a workspace to enable the integration and then the bot leaves the workspace but it does NOT get deactivated, will the integration still exist in the workspace?

  3. Ex: Alice authorizes an integration in a workspace. Can Bob interacting with the integration impersonate Alice’s account?

We don’t. The docs say “summer 2023” but that’s come and gone, and I know the project has taken longer than the API team anticipated. I’ll try to get a better answer for you from Asana.

Unless I’m missing your point (which is possible!), then the only permissions that matter are those of the account that you authenticate to. All API access occurs according to the permissions of that account. It doesn’t matter in terms of the API what permissions any other user accounts have.

The integration will technically still exist, but any API calls that it tries to do will return a 401 Not Authorized error if the bot’s Asana account is no longer a member of the workspace.

My basic answer is “no” - there’s no way to get around the linkage between an external app and the Asana account it authenticates to. The app can only operate with Asana data via that account. However, I’m not exactly sure what you mean when you say “interacting with the integration”, so I’ll give this a “qualified no”.

1 Like

Thank you so much!

Example: If Alice authorizes the Jira integration, since the integration allows “Create and modify tasks, projects, and comments on behalf of” Alice’s account, then if Bob uses the Jira integration to create a project or task, does it appear as if the project/task is being created by Alice (the authorizer) or Bob (initiating the action)?

This - it will show as Alice. Precisely because of:

Thank you, this was very helpful.

On a separate note, we are looking to examine workflows within our organization.

Is there a way to examine who installed and what integration has been installed? Additionally, can we get timestamps for these?

Is there a way to do a data dump and export this to a CSV?

I think the only way to get this info is via the Audit Log API, available for Enterprise accounts only.

No export is available for this type of info.

Isn’t this also available more easily as CSV export (Enterprise only)?



1 Like

Ah, thanks, @lpb, forgot this was available!

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.