There are various regulations governing the handling of Personal Identifiable Information (PII). Based on the definition of PII, if you can see a user's profile in Workfront, you can see their contact info and manager, and that is already PII.
Workfront currently allows 4 controls allowing admins to restrict profile visibility using Access Levels:
1) Access Level > Users > View - leave "View Contact Info" unchecked
2) Additional Restriction: Users could View only companies, groups & teams they belong to
3) Additional Restriction: People in other companies should only view users from...Their Company
4) Additional Restriction: People in other companies should only view users from...Primary Company
What is not offered is the ability to restrict People in other companies so they can only view user profiles from groups or teams at other companies with which they're explicitly working.
There is an unfortunate limitation for us with current functionality, because if you can't see a person (in Search Bar typeahead) due to restrictions because they're at another company, you also cannot tag them in Update threads.
Our organization relies on teams from various companies to collaborate with one another on Work Items. The visibility restriction makes it so we cannot allow users from different companies to tag one another (to get their attention thru notifications) when there is an update because it means they can see EVERYONE at the other company. We're pretty seriously hampered because we have to disallow people in Company A from tagging people from Company B if it means the personally identifiable info of everyone at Company B is exposed to Company A.
PROPOSED IDEA: add another level of granularity so that users from one company can at least tag users from diffferent companies, as long they are all in the same team or group, while still preventing them from seeing ALL users from any other company.
Plugging up this hole should allow maximum availability of the Updates tagging feature without exposing Workfront customers to liability of sharing PII unnecessarily.