Expand my Community achievements bar.

Join us LIVE in San Francisco on November 14th for Experience Makers The Skill Exchange. Don't miss out on this free learning event!
SOLVED

Visibility of all personally identifiable information via Search bar typeahead

Avatar

Level 6

Can someone please confirm that it is possible for any user to view the profile of any other user and that there's no way to control this?

We are introducing new groups of users to the tool, and they have a very limited layout. They don't have access to the People tab, but if any of those users just starts to type a few letters in the Search bar, the suggested values will start to populate with names of other users. From there, anyone can then select the name of and view a person's profile including name, manager and contact information.

This is a security risk and possibly a violation of company policies to reveal personally identifiable information in this way. If this is indeed the way the system behaves, then shouldn't it be treated as a vulnerability and addressed as a bug (as opposed to a system enhancement)?

I would like to hear if there are any other administrators with similar concerns or if someone has figured out a workaround. We are using Workfront Classic, so I don't know if this has been addressed in the new Experience.

Thank you.

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Level 6

Thanks very much, @Doug Den Hoed‚. I followed slightly modified steps from your instructions using this path:

Workfront Classic > Setup > Access Levels > Add New Access Level > Users > View - leave "View Contact Info" unchecked. I also changed the additional restrictions below so that 1) users could View only companies, groups & teams they belong to and 2) People in other companies should only view users from...Their Company

That seemed to plug up the hole and stop external users from seeing people from their own teams. Thanks for the guidance!

Best,

Mylah

View solution in original post

4 Replies

Avatar

Community Advisor

Interesting requirement Mylah,

In Workfront Classic > Setup > Layout Templates > Add New Layout Template > Users > View, there is an option to turn off View Contact Information, as below. Perhaps by setting it "off" on the Layout Template(s) used by new groups of users, then logging in as a member of one of those new groups, you can confirm that the resulting behavior is sufficient to meet your personally identifiable information concerns.

Regards,

Doug

0690z000008Y8GuAAK.png

Avatar

Correct answer by
Level 6

Thanks very much, @Doug Den Hoed‚. I followed slightly modified steps from your instructions using this path:

Workfront Classic > Setup > Access Levels > Add New Access Level > Users > View - leave "View Contact Info" unchecked. I also changed the additional restrictions below so that 1) users could View only companies, groups & teams they belong to and 2) People in other companies should only view users from...Their Company

That seemed to plug up the hole and stop external users from seeing people from their own teams. Thanks for the guidance!

Best,

Mylah

Avatar

Level 6

I just wanted to add to this thread that we've found there is an unfortunate limitation when you restrict visibility to where "People in other companies should only view users from Their Company". The limitation is that, if you can't see a person (in dropdowns or pre-populated fields) because they're at another company, you also cannot tag them in Update threads.

Our organization relies on teams from various companies to collaborate with one another on Work Items. The visibility restriction makes it so we cannot allow users from different companies to tag one another (to get their attention thru notifications) when there is an update. We're pretty seriously hampered because we have to disallow people in Company A from tagging people from Company B if it means the personally identifiable info of everyone at Company B is exposed to Company A.

We are looking for different ways to work around this limitation that do not risk our liability.

Avatar

Level 6

I added an submission to the Idea Exchange to add more granularity to user visibility restrictions. Please upvote! :)

https://one.workfront.com/s/idea/0870z000000XiIzAAK/detail