Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

Restrict User Visibility by Group/Team/Job Role Membership (not Company)

Avatar

Level 5

30-06-2020

There are various regulations governing the handling of Personal Identifiable Information (PII). Based on the definition of PII, if you can see a user's profile in Workfront, you can see their contact info and manager, and that is already PII.


Workfront currently allows 4 controls allowing admins to restrict profile visibility using Access Levels:


1) Access Level > Users > View - leave "View Contact Info" unchecked

2) Additional Restriction: Users could View only companies, groups & teams they belong to

3) Additional Restriction: People in other companies should only view users from...Their Company

4) Additional Restriction: People in other companies should only view users from...Primary Company


What is not offered is the ability to restrict People in other companies so they can only view user profiles from groups or teams at other companies with which they're explicitly working.


There is an unfortunate limitation for us with current functionality, because if you can't see a person (in Search Bar typeahead) due to restrictions because they're at another company, you also cannot tag them in Update threads.

Our organization relies on teams from various companies to collaborate with one another on Work Items. The visibility restriction makes it so we cannot allow users from different companies to tag one another (to get their attention thru notifications) when there is an update because it means they can see EVERYONE at the other company. We're pretty seriously hampered because we have to disallow people in Company A from tagging people from Company B if it means the personally identifiable info of everyone at Company B is exposed to Company A.


PROPOSED IDEA: add another level of granularity so that users from one company can at least tag users from diffferent companies, as long they are all in the same team or group, while still preventing them from seeing ALL users from any other company.


Plugging up this hole should allow maximum availability of the Updates tagging feature without exposing Workfront customers to liability of sharing PII unnecessarily.


2 Comments

Avatar

Level 2

14-07-2021

Thanks for raising this one Mylah. I do see a lot of use cases for our instance where we have multiple account teams working together on certain projects. I would really like to see this gain traction. 🙂

Avatar

Level 2

20-08-2021

One amendment I would add to the proposed idea is if the the users with differing companies have the same object shared with them, then they should be allowed to tag each other on that object.