We are a smallish unit within a much larger organization. Many of our projects are highly confidential. Unfortunately, when we try to @mention a team member, Asana begins to offer us the choice of any non-team member who has the same first few letters in their @mention identifier. This poses a real security risk. How can we stop it?
6 Likes
You currently can’t that’s the way the tool always has been, it aligns with Asana’s vision of open collaboration…
1 Like
One would think that there would also be a confidentiality function… Why not an open collaboration default and an option for confidentiality configurations? Or, at a minimum, a pop-up inquiry (ie “This person is not on your team. Do you still want to @ them?”)
Hi @Pamela_Metzger
This matter is very important.
(I can’t find it right away, but it’s an issue that has been discussed on the forums for quite some time.)
I also strongly hope for a response, so I will vote for it.
P.S. Is this it?
Append
2 Likes
Because I believe it could conflict with the “no silos” philosophy Asana has and annoy you with popup often? Just trying to guess
Recently, I have found myself desiring to avoid this once more.
Primarily, perhaps it would be advantageous to have the option to choose “do not display.”
2 Likes
There is a dangerous usability bug in the suggestions of the useful user tagging feature.
When it starts to tag someone with “@” a list of users appears, but it’s unfiltered by the users’ rights related to task>project>team.
It means that is too easy to tag someone who is completely external to task>project>team, giving it automatically the right to access the tag, and without any ALERT to the tagger.
I did that too many times that error, overall when I started tagging someone digiting the first name letter, as “@ricc…”.
Please check it.
This privacy bug still exists.
WHY
Hi @Riccardo_Mares,
FYI I merged your posts with an existing request on this topic.
Also note that it’s not a bug; Asana is working as intended.
Not to say that you and others here don’t have a valid request for it to work in a more restricted fashion to enhance privacy, but as @Bastien_Siebman notes above, the current behavior is aligned with Asana’s “no silos” philosophy.
1 Like
It’s absolutely a privacy bug. It’s so easy to tag someone completely OT and share him/her protected information or privacy-covered information. I don’t really understand how Asana doesn’t care about it and understand how it should be dangerous.
It could indeed be a privacy issue for your organization and use case, totally get that. But please also understand that it could be a desirable feature for other organizations, depending on how they collaborate, what type of information is involved, etc.
Also again it’s not “a bug” - a software bug is defined as code that behaves differently than was intended. In this case it’s behaving as Asana intended.
There are two kinds of bugs:
- bugs that arise from executing something incorrectly as planned
- functional bugs
A project management tool that allows tagging external people without any notification, thereby sharing potentially protected data, has a serious functional bug.
After years of my first notification of this dangerous bug, it still exists.
Just some minutes ago, I tagged a customer of mine on a confidential task.
That task is on a reserved private team and on a reserved private task.
Don’t you want to stop it? Please add an alert “Are you sure you want to tag a user that has now NO access to the task?”.
The very bad thing is that the tagging automatically adds the tagged user to the task, giving him the right to read 
Please ASANA fix it!
Please @Richard_Sather can you help push this bug-task too? 
Hi @Riccardo_Mares , I don’t work for Asana, I’m just a volunteer forum leader.
Not sure this is seen as a bug though, as @Phil_Seeman rightly explained to you above.
I’m very afraid you (not only you) understand the severity of this privacy bug.
Every day, ASANA users may fall into wrong users tagging, exposing confidential information to people without any rights.
@Riccardo_Mares , I’m afraid you have misunderstood me 
I don’t disagree that this is clearly an issue for you or for other users that have voted here - totally get it. I just meant that I don’t see this being considered a bug by Asana 
A bug is not just something that fails or raises an error; it also refers to something that can cause harm or agree to do so.
Thank you
What about someone putting the wrong person in CC of an email? Isn’t it the same thing? 
Gmail fixed it by saying “careful this is someone outside of your domain” but I am not sure how different it is, can someone explain to me in case I am missing something?