Welcome to the Smartsheet Forum Archives
The posts in this forum are no longer monitored for accuracy and their content may no longer be current. If there's a discussion here that interests you and you'd like to find (or create) a more current version, please Visit the Current Forums.
Security loophole
We have a sheet containing sensitive data in several columns. We limit the visibility of this data by hiding the columns, so only Admin users on the sheet can unhide/view the data. However, any Smartsheet licensed user, including those with only Viewer privileges, can circumvent the sheet security by simply saving the sheet as a NEW sheet - open the new sheet and unhide all columns. Voila! The sensitive data is now visible. How do we protect sensitive data in Smarthseet?
Comments
-
They don't even have to do that. Just right-click any row and select edit.
-
I raised a similar issue last year here in the community:
https://community.smartsheet.com/discussion/security-restricition-user-rights-within-reports
It was something I stumbled upon by accident: People not having the right to change the visibility status of columns can easily export the sheet/report and within the export popup window one can easily "re"define the columns to be exported - the visible and the hidden.
I also considered it as a security hole / backdoor because it reduces the actual very cool feature of hiding information (so only authorized people can see it) to more or less a layout feature...
-
It also exists on reports as well, where you'd think that an unlisted (different from hidden) column would be implicitly protected from view, however, the Edit Row and Send Row features get around it.
-
Thanks for the confirmations on this issue. I'll resubmit to tech support and attempt to further our case for escalating this on the product roadmap. This is really an enormous security oversite.
-
Hi All whenever we have been Consulting or Training on Smartsheet, we have always advised clients that Hiding columns is purely for the benefit of Decluttering the Sheet and improving focus on what matters. Hiding was never an option for keeping confidential information private from collaborators, that requires a different workflow design.
So, im sorry if this is a surprise you many of you but it is the way it has always been, it should have been part of your initial discovery activities and diligence.
it is as important that you realise these things as it is, all the wonderful things you can achieve with Smartsheet.
Regards to all.
RichardR
-
Hi All,
As you've all found—currently when you share a sheet the shared user can see all of the sheet. There isn't a method to securely hide data from a user or share only portions of the sheet, but I've passed your feedback to our Product team for looking into this for the future.
If you'd like a user to only be able to update certain rows, you might consider sending recurring Update Requests (http://help.smartsheet.com/customer/portal/articles/504779) via email as an alternative to Sharing.
If they don't need to edit any data but you want them to be able to view it, you could create a Report (http://help.smartsheet.com/customer/portal/articles/522214) showing all rows that are appropriate to expose to the user; then, either send the report as an attachment via email (http://help.smartsheet.com/customer/portal/articles/516096) on a scheduled basis, publish the report (http://help.smartsheet.com/customer/portal/articles/522078#publishreports) to a public link (URL). Anyone can then use the link to see (but not edit) the report.
-
Well, let us not forget that if that person gets notifications on that sheet then they will also see all of the hidden columns and data. Notifications have a habit of ignoring your sheet formatting (including hidden columns) and spitting out everything on the sheet.
This is not only something that could affect your data security, but it should influence your sheet design because having many hidden columns in your sheet will make your alerts look awful.
-
Excellent point.
Categories
- All Categories
- 14 Welcome to the Community
- Customer Resources
- 64.9K Get Help
- 441 Global Discussions
- 139 Industry Talk
- 471 Announcements
- 4.9K Ideas & Feature Requests
- 129 Brandfolder
- 148 Just for fun
- 68 Community Job Board
- 496 Show & Tell
- 33 Member Spotlight
- 2 SmartStories
- 300 Events
- 36 Webinars
- 7.3K Forum Archives