Restrict user read permissions for API 2.0

dominikm7139145

11-06-2019

I noticed a major privacy problem with API 2.0 while testing out the possibilities of restricted permissions for normal users:

Using the command https://analytics.adobe.io/api/[mycompany]/users?limit=[XX] a normal user can get a list of all users in a given organization. This may pose a privacy issue as a normal user should not be able to see the usernames, admin status, email, first & last name, phone number, and title. Those are highly personalized information on any given user. Usually, I would think that only admins can get access to this information. Even though a "normal" user has no writing rights to manage, change or create users this is still a problem.

Client Care says that the function is working as intended but this feature should not be an intended function for API 2.0. Please change this so that only admins can use this function and normal users only get information on their own account with https://analytics.adobe.io/api/[mycompany]/users/me.

8 Comments (8 New)
8 Comments

ursboller

MVP

11-06-2019

can't believe that we need to make an idea on this! it definitely should not work like that, a restriction for "normal users" is highly needed!

thanks for posting the idea...

Brian_Kent_Watson

Employee

11-06-2019

Note that non-admin users can see all users in the company, including First Name, Last name, and Email address, when they take actions in the UI such as sharing segments and Workspace projects, adding recipients to alerts and scheduled reports, etc.

The three elements of admin status, title, and phone haven't been previously exposed in the UI so that is additional information that was added for API 2.0. We can consider making a change such that only admins can pull the lists of users via API but the expectation that a normal user should never see information about another user simply doesn't match the historical behavior of the product.

ursboller

MVP

11-06-2019

would it be an option to restrict access to the same user group by permission? eg. add a new permission setting to only allow "user lookup" of own "user groups"? this way we could create a new user group for external agencies and those persons have only access to names/users within that group.

Brian_Kent_Watson

Employee

11-06-2019

That's a possibility. We'll need to consider how such a change would impact functionality in the UI such as sharing and schedule recipients, etc. Because Analysis Workspace is built on the 2.0 API set we generally want to keep behaviors in the API consistent with behaviors in the UI.

i appreciate the feedback in this thread.

dominikm7139145

12-06-2019

Wouldn't it be easier then to change the permissions for normal users so that they can only see First and Last Name (both in UI and API)? Also, I haven't seen any E-Mail information in the UI when sharing segments, workspaces, metrics, etc. I can add someone by specifically writing out that person's address but usually I only see First and Last Name in the sharing menu.

David-123

12-06-2019

I can see how this could be an issue in a large enterprise.

Surely a toggle box in the admin section to allow / block API from the user request would solve this?

dominikm7139145

12-06-2019

You mean completely block API requests? Our use case is restricted API access for normal users (e.g. for reporting purposes on specifically chosen variables).

But it would also be a great idea if specific API commands could be allowed/blocked for specific users or user groups. This way the admins could choose to block the get user API command.

David-123

12-06-2019

Sorry - yes - there was a typo there - yes block the specific API call for user information.