We’ve had a problem where users with “editor” rights have been able to modify the ownership of projects that do not belong to them. It seems to me that only an owner (or Admin) should be able to transfer ownership. Am I missing something here?
1 Like
This is a serious permissions flaw, from my perspective. I’ve tested and confirmed that anybody you add as an “editor” can in fact remove you as the owner, make themselves the owner, and even completely delete the whole project – all with no confirmation required from the legitimate project owner. Furthermore, there is no ability for the original project owner to recover their project at all – it’s completely deleted outside of their control.
Thus you have to COMPLETELY trust any employee or collaborator to whom you grant editing permissions on a project. This is quite uncomfortable, given that we’ve invested years of development and note-taking into some projects, and an intern could unwittingly wipe all of this out if they think they are just cleaning-up their own account by deleting projects they’re no longer interested in.
In fact, I’ve discovered that a user with editor permissions doesn’t even need to make themselves the project owner – they can irreversibly delete the project just as an editor. This should not be allowed. Only project owners should be able to delete a project.
3 Likes
Hello,
on this topic I would add some additional control over the removal of members from a team. Currently, any user with edit permissions at project level, can delete project members and with just one or two additional clicks REMOVE the asana level account of a teammate. This has happened in the past few weeks in my organization, one teammate testing has deleted the account of two other teammates. He simply created a test team, added two colleagues and then removed them. When removing the colleagues from the project, the interface showed the option to “remove full access”, this resulted in deleting the account of these colleagues at the Asana level.
I think both, the project deletion control and removing members from a project or the second step suggested by the “remove full access” interface should have more control at the permissions level. Likewise, the “remove full access” part should make it much clearer to the user performing this action that the affected user’s account will be removed from Asana. I think this is a very important step which, as it turns out, leads to users deleting accounts without realizing it.
Regards
1 Like