Security: Restricition of user rights within reports

Hello,

let's say I have set up a report to share information to specific users. Within the report several columns of the underlying sheet are hidden, because the viewer is not allowed to see them.

When a user (e.g. with the rights of a "view only") opens the report he only sees the columns that he should see - ok. He is not allowed to change the setup of the report - perfect.

But Smartsheets now offers an option for the "view only" user that I would not have expected, that it's given:

It's within the "Send as email" functionality. He can mark rows within the report and choose "Send" from the context menu of the row transactions. Within the popup he is offered to choose which columns to send. After clicking the button he get's the full range of columns to select from - visible columns but also the hidden columns. In the result the recipient gets an email with all rows that where marked and all columns that where selected. By the way this also works with the role "editor"...

Does anybody know how I can switch off this functionality?

I could not find it...

If it's not possible I'm a bit concerned, because IMHO he must not have this freedom of choice, because its foils the authorization scheme...

Best

Dietrich

PS:

Another question goes to the "copy" function of the context menu.

Same situation. Instead of sending the rows I chose "copy" from the context menu but I did not manage to insert the copy into another application like MS Word or MS Excel.

Does anybody know how to use this copy function?

Find more posts tagged with

Security

Account and User Management

Comments

J. Craig Williams

Dietrich,

Which context menu are you referring to, specifically?

Also Smartsheet,

I agree with Dietrich, please close this security hole.

Craig

Kennedy Stomps

Hi Dietrich and Craig-- Thanks for bringing this up. In looking into this, though I do think this functionality could be improved, I'm not sure it's truly a security hole. Even users who are just viewers on the Report need to be shared on the report's source sheets in order to view data in the Report. If they're shared to the source sheet with any level of permission, they're able to export the sheet to Excel, which would ultimately allow them to view these columns anyways, even if the columns are hidden in both the source sheet and report.

I'll personally pass your feedback on preventing View-only users from being able to modify the columns sent in "Send Row" emails from a Report to our Product Team, but wanted to clarify and confirm that any user shared to the source sheet could still view the "hidden" data, so they ultimately do not have access to any data that has not already technically been shared with them.

Dietrich Koch

Hi Kennedy,

Hi Craig,

sorry for my late answer...

Kennedy-- the bug lies within the export function. It does not take care of the right, a user was given, but grants full access to all information within the sheet! And this is totally different to the way of handling user rights within the rest of smartsheet.

My understanding was always, that a user, regardless if he's an editor or a viewer, can only see what I allow him to see. If I decide to NOT show him a column, then it's for the reason that I do not want him to see the data behind. And since he, again regardles if he is an editor or viewer, is not allowed to unhide the hidden columns neither in the source sheets, nor in reports, I thought this was exactly your intention with implementing the "hide"-function. It works perfect.

So I definitively can not follow your argumentation. They use the software "as is" and

they only see what they are allowed to see and can not change it. The problem comes with the export function that does not recheck, if the user is allowed to see hidden columns. With the export they have an unexpected freedom that they must not have. From my point of view this is definitely a security bug!!

In the end it reduces the function of hiding columns to some kind of layout feature...

All my colleagues who want to share sheets with different customers now have to check again their sheets against this bug and we will have to reconstruct them in order to prevent unwanted disclosure of information.

I can hardly imagine, that I'm the only one having problems with this security bypass.

And again, this goes for both editors (both types) and view-only users!!!

What are your plans?

J. Craig Williams

I agree with Dietrich. Definitely a security hole.

Craig

Dietrich Koch

Hi Kennedy

with the release of “Card View” – which is really cool – I noticed the same behavior/understanding of security again. I used the card view within a sheet with hidden columns and logged in as an editor. When I choose “Edit…” from the context menu on a card the pop-up window shows ALL columns, the visible and the hidden...

Dietrich

Dietrich Koch

Hi Kennedy,

any news on this topic?

Is it someting you think about covering in (near) future releases?

Best

Dietrich