Hi All!
I’m a small MSP interested in using Asana to replace the standard helpdesk but have some concerns with this.
Please note: I can only replicate this behavior using the iPhone mobile app (I’ve not tested android) and it is not an issue using the desktop browser. I reported this many months ago to support; however, I can’t find the original email. I wasn’t provided a fix.
My Setup:
Organization
|
|
–Internal Dept 1 (Team)
|
|
–Internal Dept 2 (Team)
|
|
–Clients (Team)
|
|
–Client X (Project)
|
|
–Client Y (Project)
Added a guest to the Client X project.
Added a guest to the Client Y project.
Logged in as Guest X on the iPhone. I can see a list of all users in Clients (Team). As expected, I can see the actual name of the org member that is also in the same project as me. Guest Y is listed as a “Private User.” * (I’d prefer it be like the browser experience where the private user isn’t listed at all, but not a problem I guess.)*
My Concern: If I, Guest X, click on the project and then click on the list of members, and then click on the private user listed, I am given an option to “Send Message” or “Assign Task”. When testing both options work. I, Guest X, can give Guest Y a private message and assign them tasks as well that now show up in their account. I can also click “View Tasks” and see the task I just assigned to Guest Y.
Why is this a concern?
Because in my above setup, in theory, one client initiates contact with another client while I have no idea about such contact. They’ll have no idea who they are talking to. But regardless, they could maliciously contact ALL clients. The only way around this is to create a team for each client and this is no longer a problem; however, after browsing the forums I see many other people use the same setup I have above.
I’m on the Business plan but I’m sure this impacts others.
Thoughts?