Welcome to the Smartsheet Forum Archives


The posts in this forum are no longer monitored for accuracy and their content may no longer be current. If there's a discussion here that interests you and you'd like to find (or create) a more current version, please Visit the Current Forums.

Security loophole

Wes
Wes ✭✭✭
edited 12/09/19 in Archived 2017 Posts

We have a sheet containing sensitive data in several columns. We limit the visibility of this data by hiding the columns, so only Admin users on the sheet can unhide/view the data. However, any Smartsheet licensed user, including those with only Viewer privileges, can circumvent the sheet security by simply saving the sheet as a NEW sheet - open the new sheet and unhide all columns. Voila! The sensitive data is now visible. How do we protect sensitive data in Smarthseet?

Comments

  • John Sauber
    John Sauber ✭✭✭✭✭✭

    They don't even have to do that. Just right-click any row and select edit.

  • Dietrich Koch
    Dietrich Koch ✭✭✭✭✭✭
    edited 02/21/17

    I raised a similar issue last year here in the community:

    https://community.smartsheet.com/discussion/security-restricition-user-rights-within-reports

     

     

    It was something I stumbled upon by accident: People not having the right to change the visibility status of columns can easily export the sheet/report and within the export popup window one can easily "re"define the columns to be exported - the visible and the hidden.

     

    I also considered it as a security hole / backdoor because it reduces the actual very cool feature of hiding information (so only authorized people can see it) to more or less a layout feature...

     

  • John Sauber
    John Sauber ✭✭✭✭✭✭

    It also exists on reports as well, where you'd think that an unlisted (different from hidden) column would be implicitly protected from view, however, the Edit Row and Send Row features get around it.

  • Wes
    Wes ✭✭✭

    Thanks for the confirmations on this issue. I'll resubmit to tech support and attempt to further our case for escalating this on the product roadmap. This is really an enormous security oversite.

     

  • Richard Rymill SBP
    Richard Rymill SBP ✭✭✭✭✭✭

    Hi All whenever we have been Consulting or Training on Smartsheet, we have always advised clients that Hiding columns is purely for the benefit of Decluttering the Sheet and improving focus on what matters. Hiding was never an option for keeping confidential information private from collaborators, that requires a different workflow design. 

    So, im sorry if this is a surprise you many of you but it is the way it has always been, it should have been part of your initial discovery activities and diligence.

    it is as important that you realise these things as it is, all the wonderful things you can achieve with Smartsheet. 

    Regards to all. 

    RichardR

     

     

  • Hi All,

     

    As you've all found—currently when you share a sheet the shared user can see all of the sheet. There isn't a method to securely hide data from a user or share only portions of the sheet, but I've passed your feedback to our Product team for looking into this for the future.

     

    If you'd like a user to only be able to update certain rows, you might consider sending recurring Update Requests (http://help.smartsheet.com/customer/portal/articles/504779) via email as an alternative to Sharing.

     

    If they don't need to edit any data but you want them to be able to view it, you could create a Report (http://help.smartsheet.com/customer/portal/articles/522214) showing all rows that are appropriate to expose to the user; then, either send the report as an attachment via email (http://help.smartsheet.com/customer/portal/articles/516096) on a scheduled basis, publish the report (http://help.smartsheet.com/customer/portal/articles/522078#publishreports) to a public link (URL). Anyone can then use the link to see (but not edit) the report.

  • Brad Jones
    Brad Jones ✭✭✭✭✭✭

    Well, let us not forget that if that person gets notifications on that sheet then they will also see all of the hidden columns and data.  Notifications have a habit of ignoring your sheet formatting (including hidden columns) and spitting out everything on the sheet.

     

    This is not only something that could affect your data security, but it should influence your sheet design because having many hidden columns in your sheet will make your alerts look awful.

  • Wes
    Wes ✭✭✭
    edited 02/26/17

    Excellent point.

     

This discussion has been closed.