Workfront

Thanks for sharing your experience, Kevin.

When I first saw my decision on a proof changed, and then saw comments on a proof attributed to me which I did not make, I was quite confused. When I was told that anyone who gets hold of my personal proof link can access proofs without needing login credentials… well, I was deeply disturbed!

The latest incident resulted in mass confusion regarding proof feedback and logged decisions, and a missed deadline. Luckily this happened a longtime customer, and I didn't have to do much to repair my credibility with them.

As you said, this is a GLARING security issue.

I will also try to see if anyone at Workfront will take this issue seriously.

Cheers,

Joel

Just got off the phone with Customer Service. The system is set up to allow guest users access without the need for credentials (because they can only store credentials for licensed users) – which means that if they get hold of a licensed user's proof notification link, the guest user can access the customer's account. The option (which isn't really a viable option) is to set proof permissions to require login to view a proof – which means only Workfront account holders could view the proof. It's a classic "Catch-22".

“There was only one catch and that was Catch-22, which specified that a concern for one's safety in the face of dangers that were real and immediate was the process of a rational mind. Orr was crazy and could be grounded. All he had to do was ask; and as soon as he did, he would no longer be crazy and would have to fly more missions. Orr would be crazy to fly more missions and sane if he didn't, but if he was sane he had to fly them. If he flew them he was crazy and didn't have to; but if he didn't want to he was sane and had to." 😆

😱 😆 👍

@Joel Clements‚ and @Kevin Quosig‚ We have this same issue. The workaround is to train our proof creators and owners to share their proofs via the share button rather than forwarding on emails or links.

It works, but it would be very nice if they didn't have to avoid the obvious 'forward.' Happy to add my support to where ever is needed to try and get some traction on this.

@Samantha Isin‚

Yeah, my gripe is the instant you have to "train around" a more natural behavior (forwarding), you're in for an uphill battle. My career is littered with the battlescars of the phrase "just train around it." You don't even realize you've said it two dozen times as you're configuring the product and next thing you realize that half your process is a work-around. *ugh*

My response to that is now, reflexively, "make your product more intuitive." (Or barring that, configurable.)

I have nothing against others here who love the free-for-all forwarding as a point of flexibility. I just want the option to have best practices for security. The product should have started with that premise, then made "less secure" the optional part.

I think of it in terms of a network firewall at the corporate level: you start with "lock out everything" and then decide on a case-by-case basis what to let through after examining the risk.

Unfortunately, we need more accountability than that and a bullet-proof paper trail. We also have legal and IP protections to consider.

A proof reviewer should only be allowed to access a proof as themselves so there is full accountability and no possibility of confusion who made a comment or approval. No accidents, no "do not touch that" training.

I'm all for the usual "don't take options away, add new ones" if @Heather Kulbacki‚'s needs are common. But we need strict, industry-standard security standards as an option.

Heather, You don't need to create an account for every single proof reviewer. You can invite reviewers as "guest users". Just add their email address in the Workflow when you create your proof and they will have access under their own identity without needing a paid Workfront account. This sends them a link to the proof, and any comments decisions are attributed to them. Guest users do not need a Workfront account.

However, if you enable the "Secure proofing" under proof setting, only licensed users can access a proof.

For us, the person creating the proof and setting up the workflow doesn't know who these reviewers are that the notification gets forwarded to. We have one contact that we send the proof to and it's their responsibility to get addition comments from whoever else needs to review.

We've also tried using the "forward this proof to someone else" link and have found that has too many hoops to jump through before any additional reviewers can actually access the proof, since the proof owner needs to approve anyone added this way plus someone has to move that user to the correct stage once approved.

Ideally, for us, when someone uses the "forward this proof to someone else" link, anyone added would be added to the same stage as whoever is adding them and no one else would have to approve whoever is added before they can actually access the proof.

But I'm sure there are other organizations that would still want a project owner or proof owner to approve anyone added to a proof before access is allowed.

Oh I read this out of order. We have the same process where the designer doesn’t know who needs to approve so he shares it only to the (worker license) manager who makes that decision and goes back into the proof and shares it with the correct people by sharing it with them in the correct part of the workflow. We find forwarding really screws things up and causes so much confusion, and also you can’t have in-proof conversations about edits. The danger with this then relies in version 2 where the designer MUST remove those new people as they are automatically populated into the sharing list. Note we don’t use automated workflows, as every proof is unique and we can’t find a way to automate that so it makes any sense, we have more exceptions than rules.

Heather I don’t understand this. You don’t need any license to review a proof or even have to create an account for a new proofer. We send proofs to dozens of people outside our company with no problem. When you share the proof ‚Äîfrom within the proof ‚Äî the user gets added to.a user list that resides only within the Proof part of the app and so when they get the notification with the proof link it is for them and their name appears in their comments and they can approve the proof, no sharing of a log in is necessary. Maybe I’m missing some rationale why you are doing this?

Hi Anthony - the one part of your process that I don't understand is why not upload V2 as a proof and delete all the existing people except the one who is the actual owner who can then easily use the compare tool for V1 to V2?

We also do something new that has been kind of working for certain types of projects that require quicker turnaround -- still some training of the designers to read the brief! In the brief we have a space to list who should get the V1 proof so the designer can share it correctly when they upload it. This saves about 1/2 day waiting for the manager to get to it, and moves things along a bit faster. Of course this only is for internal proofs as we wouldn't want an external person to see a proof before we have signed off internally first. Then the project manager shares it with any additional external or other stakeholders once they are ok that it is ready to be shared, or decide to wait for V2 if the edits are material or embarrassing.

Hi Jill - The designer doesn't want to have to delete 30-something people and the project owner doesn't want to have to add them back every time. Our templates don't have people in every stage as you might not the Copy, Art, Dev, or Studio operator for the piece. (And you can't attach a template mid-flight with an empty stage). Besides, this could cause issues where someone was on Version 1 but forgotten on Version 2.

The Project Owner is just doing a quick glance to make sure all comments marked To Do are resolved and just a quick look over it. It isn't a full review. That is what Proofreading and Account are for. ;)

I didn't know you can't add a template mid-flight. It's so interesting to me to hear how other people manage their workflows, always looking for ideas on how to do it better. We are a small group, with 4 proofs on a very busy day. 600 makes me a little nauseous.