Random Users gaining access to projects

I noticed a huge security flaw last year where users have access to projects that they should not have access to.
I wrote in several times and have not heard back from support.

Basically, I have created projects and when I go to assign the task to a specific user, other users show up in the list, that do not have access to the project!

In my particular case, the users are from a completely unassociated work project under a different work account I own, so there is some mapping issue somewhere that is allowing the 3rd party company employees access to my newly created projects (under a completely different login and email address).

My guess is that some merging happened on the backend and the users were added at some level that cannot be accessed by the user interface.

I would love to get some help on this so I can use the product without fear that tall of my projects can be seen by others that should not have access.

Thanks in advance!

Hello @brad_ranks Thanks for the post.
According to me the names in the assignee dropdown that comes up when you start assigning people does not have access to the specific project. They will only have access when:

  1. They are added to the Organisation and the team and project are public to the organisation

  2. They are added to the Team and the project are public to the team

  1. They are added to the Project and will see only the tasks in this project
  1. Are assigned a task or added as collaborator to the task. Then they will only be able to see the task and not other tasks in the project.

Hope this is helpful.

2 Likes

Hi @brad_ranks, welcome to the Asana Community Forum!

In order to investigate this further, I have just liaised with our support team to help speed up the process and can confirm they will be in touch shortly to help you clarify this. They have the tools to have a closer look at your account setup and give you a tailored answer :slight_smile:

Thanks @Paul_Grobler for sharing this info here as well!

Let me know if you have any questions in the meantime.

1 Like

This does not seem to be the case for my account. I have interacted with many many people on many projects. There are only a very select few that still show up in the assignee list. If the above statements were correct, then I would be seeing a much much larger list of assignees.

Can you manually remove them from my account or remove everyone but me and I can re add anyone I feel is appropriate?

Hi @brad_ranks! unfortunately I’m not able to remove users from your Organization or Workspace as I don’t have access to your space. If you wish you can remove everyone following these steps:

  • If you have a free Organization follow these steps.
  • If you have a Premium Organization and you are the Admin you can follow these steps.

I hope this helps! :slight_smile:

Hi Emily,

Thanks for the suggestion, but none of those seem to apply to my account. I do not have any of those settings in my view. I am the creator of the workspaces (aka Admin), but none of the links, tabs or naming conventions are available in my interface.

I am starting to think that this bug is not something that anyone over there wants to deal with and I should just delete these projects and account and maybe create a new account under a different email, since you can’t figure it out.