The Microsoft 365 integration is written by Microsoft, so you’d need to contact them for that info per this page.
The Outlook and Teams integrations are written by Asana, so they should be able to answer your questions on those apps. It’s unlikely anyone will have those answers in the forum; I would recommend contacting Asana support for that info.
Actually there are no scopes. When an app authenticates to a user’s Asana account, the app gains access to all Asana data which that account has access to. There’s no way to restrict beyond that as part of the auth process.
The message and bullet points you show in that dialog are a bit disingenuous IMO. It should more accurately say “you will give it permission to access any data within your Asana account” because that’s what you’re doing. Jira might argue, “But we’re only accessing the data that we list there, we’re ignoring everything else”, but that doesn’t change the fact that they COULD access everything else if they wanted to.
@Dan50, I do want to mention one clarification. Currently, when you authenticate to an Asana account per our discussion above, you gain access to ALL workspaces/organizations that account has access to.
One thing Asana is doing to reduce that scope is that, in the future, instead of authenticating to an entire Asana account, the user in granting access will be able to select ONE workspace/organization that they have access to, and your app will only be granted access to that one space. You still have access to everything within that space, but at least users who are members of multiple spaces will be able to grant app access to just one of them.
You can read more this upcoming change here and here.
@Phil_Seeman Thank you. Do we know when this will be in effect?
Follow up questions:
My understanding is that if we have a integration within a workspace, the safest permissions would have everyone in the workspace as a “Team Member” and no one as “Team Admin / Org / Super Admin”. The reason is because admins have more access in a workspace and if integrations technically have access to everything then the role type determines integration access. Therefore, having everyone as a basic team member status in the workspace is the safest option for adding the integration. Is this your understanding?
Admin and Integrations
If we set up a bot in a workspace to enable the integration and then the bot leaves the workspace but it does NOT get deactivated, will the integration still exist in the workspace?
Ex: Alice authorizes an integration in a workspace. Can Bob interacting with the integration impersonate Alice’s account?
We don’t. The docs say “summer 2023” but that’s come and gone, and I know the project has taken longer than the API team anticipated. I’ll try to get a better answer for you from Asana.
Unless I’m missing your point (which is possible!), then the only permissions that matter are those of the account that you authenticate to. All API access occurs according to the permissions of that account. It doesn’t matter in terms of the API what permissions any other user accounts have.
The integration will technically still exist, but any API calls that it tries to do will return a 401 Not Authorized error if the bot’s Asana account is no longer a member of the workspace.
My basic answer is “no” - there’s no way to get around the linkage between an external app and the Asana account it authenticates to. The app can only operate with Asana data via that account. However, I’m not exactly sure what you mean when you say “interacting with the integration”, so I’ll give this a “qualified no”.
Example: If Alice authorizes the Jira integration, since the integration allows “Create and modify tasks, projects, and comments on behalf of” Alice’s account, then if Bob uses the Jira integration to create a project or task, does it appear as if the project/task is being created by Alice (the authorizer) or Bob (initiating the action)?