Visibility of all personally identifiable information via Search bar typeahead | Community
Skip to main content
M
Mylah_D
Level 4
May 30, 2020
Solved

Visibility of all personally identifiable information via Search bar typeahead

  • May 30, 2020
  • 4 replies
  • 1108 views

Can someone please confirm that it is possible for any user to view the profile of any other user and that there's no way to control this?

We are introducing new groups of users to the tool, and they have a very limited layout. They don't have access to the People tab, but if any of those users just starts to type a few letters in the Search bar, the suggested values will start to populate with names of other users. From there, anyone can then select the name of and view a person's profile including name, manager and contact information.

This is a security risk and possibly a violation of company policies to reveal personally identifiable information in this way. If this is indeed the way the system behaves, then shouldn't it be treated as a vulnerability and addressed as a bug (as opposed to a system enhancement)?

I would like to hear if there are any other administrators with similar concerns or if someone has figured out a workaround. We are using Workfront Classic, so I don't know if this has been addressed in the new Experience.

Thank you.

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
    Best answer by Mylah_D

    Thanks very much, @Doug Den Hoed‚. I followed slightly modified steps from your instructions using this path:

    Workfront Classic > Setup > Access Levels > Add New Access Level > Users > View - leave "View Contact Info" unchecked. I also changed the additional restrictions below so that 1) users could View only companies, groups & teams they belong to and 2) People in other companies should only view users from...Their Company

    That seemed to plug up the hole and stop external users from seeing people from their own teams. Thanks for the guidance!

    Best,

    Mylah

    4 replies

    Doug_Den_Hoed_AtAppStore
    Community Advisor
    Doug_Den_Hoed_AtAppStoreCommunity Advisor
    Community Advisor
    May 31, 2020

    Interesting requirement Mylah,

    In Workfront Classic > Setup > Layout Templates > Add New Layout Template > Users > View, there is an option to turn off View Contact Information, as below. Perhaps by setting it "off" on the Layout Template(s) used by new groups of users, then logging in as a member of one of those new groups, you can confirm that the resulting behavior is sufficient to meet your personally identifiable information concerns.

    Regards,

    Doug

      M
      Mylah_DAuthorAccepted solution
      Level 4
      June 3, 2020

      Thanks very much, @Doug Den Hoed‚. I followed slightly modified steps from your instructions using this path:

      Workfront Classic > Setup > Access Levels > Add New Access Level > Users > View - leave "View Contact Info" unchecked. I also changed the additional restrictions below so that 1) users could View only companies, groups & teams they belong to and 2) People in other companies should only view users from...Their Company

      That seemed to plug up the hole and stop external users from seeing people from their own teams. Thanks for the guidance!

      Best,

      Mylah

      M
      Mylah_DAuthor
      Level 4
      June 30, 2020

      I just wanted to add to this thread that we've found there is an unfortunate limitation when you restrict visibility to where "People in other companies should only view users from Their Company". The limitation is that, if you can't see a person (in dropdowns or pre-populated fields) because they're at another company, you also cannot tag them in Update threads.

      Our organization relies on teams from various companies to collaborate with one another on Work Items. The visibility restriction makes it so we cannot allow users from different companies to tag one another (to get their attention thru notifications) when there is an update. We're pretty seriously hampered because we have to disallow people in Company A from tagging people from Company B if it means the personally identifiable info of everyone at Company B is exposed to Company A.

      We are looking for different ways to work around this limitation that do not risk our liability.

      M
      Mylah_DAuthor
      Level 4
      June 30, 2020

      I added an submission to the Idea Exchange to add more granularity to user visibility restrictions. Please upvote! :)

      https://one.workfront.com/s/idea/0870z000000XiIzAAK/detail

      Terms & ConditionsAccessibility statement

      Loading footer...