As far as I can tell, your suggestion is not enforcing any restrictions, but is an example of an activity log notification system, e.g. “Notify these users when user X does action Y”. Right?
At the moment, our audit log tracks data modification activity (= edits) and not data viewing activity, so I think it is unlikely that we would be able to roll this out any time soon.
It’s also worth saying that the workspace UI is not the only way in which a user can access data in the workspace. What do you imagine would happen if the admin wanted to execute an API query on the data, bypassing the UI?
As an alternative, why not have a policy of multi-factor authentication for admins, and track the logins?
Keeping in mind the design of Fibery (Workspace admins should have access to all Spaces), I think we can say yes.
You’re right, I didn’t think about that. On this case, the user executing the API should be tested against the users of the Space to check the permission level. I do not have too much experience there so I don’t know if it’s possible. But basically, if a user try to use the API against a private Space > check permission level on this Space.
We already have a multi-factor authentication in place but what about if abuses occurs ? We cannot check if nobody is notified that someone goes into a private Space.
But this comes back to the issue that admins are axiomatically permitted to access everything in Fibery, so any check of permission level will automatically allow admins access.
Out of interest, how do you prevent/detect abuse within other tools?
Is it currently solved by having siloed tools used by different departments, such that each tool has its own admin?
What if someone in your IT department accesses data that is supposed to be ‘private’?
Correct but if the admins of a private Space wants to give an explicit access to a Workspace admin, the Workspace admin should be added on the “Share this Space” page (or somewhere elses, I don’t know)(despite he already have access). It’s a manner to say to the system “this Workspace admin does not need to pass by the additional verification layer”. By this way you will be able to determine which Workspace admin needs to pass by the additional verification layer and which one don’t needs. Again, you know better than me what is possible to do, it’s just an idea of the workflow.
I totally agree with you.
Admins are by definition people we can trust and generally from IT. Every system is different and every system have its mechanics to help (or not) administrators to administer the systems, including alerts for many of them. I’m just trying to imagine how it can be implemented in Fibery.
As you say, perhaps the solution is on the activity log notification system side.
Unfortunately, this would be in violation of the second axiom of the Fibery access model:
admins are permitted to do anything within the workspace (= cannot be inhibited from doing something)
Without that, there are potential workspace configurations which result in users irreversibly locking themselves out of data in the workspace.
For example, imagine that a workspace admin deletes the only user who is a creator in the ‘private space’.
Now, the admin can’t get into the space, because there is no user able to add them via the ‘Share this space’ page.
Thanks for the explanation, I realize I confused having Workspace admins and Space admins because the Space admins are the Workspace admins. There isn’t different admins. So by “admins of Space” understand the Creators as it is the highest level access on a Space for a member who is not Workspace admin.
I understand that the admins can do everything by design and my idea is not to restrict this. The idea is to have an element of control between the moment the Workspace admin clicks on the private Space and the moment he accesses the private Space. But this element of control will not restrict the Workspace admin to accesses the private Space. It is just a manner to log the action and to notify the Creators of the private Space.
That’s why by “element of control” or “additional verification layer” I imagine a simple form where the Workspace admin needs to provide a reason of accessing the private Space so the Creators of the private Space are notified and the action is logged on the activity log. But in all the cases, Workspace admins will be able to access the private Spaces.
The other point I was trying to explain is that perhaps there is private Spaces where we want that some of Workspace admins access without providing a reason. In this case, the Workspace admin can be added in the “Share this Space”. Perhaps you can add a section “Workspace admins who don’t needs to provide a reason to access this Space” on this page.
In relation to the API case, it is the same. If a Space is private, Workspace admin have access but they needs to provide a reason in the command unless they are indicated in the section “Workspace admins who don’t needs to provide a reason to access this Space”.
If a Workspace admins adds them self’s on “Workspace admins who don’t needs to provide a reason to access this Space” list, members of the private Space are notified.
In all the cases, if there isn’t assigned Creators for the Space, then the Space cannot be private. There should be at least 1 Creator so the space can be switched to private (I mean a Creator who isn’t a Workspace admin).
Apologize any misunderstanding and thanks for your consideration on this subject !
I get that it is possible to describe some kind of rule set which will allow you to achieve a degree of control/visibility over admin access, but having these sorts of hardcoded rules is somewhat antithetical to the Fibery principles (flexible, open platform, upon which a number of use cases can be built).
Overall, I would strongly encourage you to think about what you can achieve by having as few workspace admins as possible (ideally only one) and not using an admin account for every day tasks - only on the rare occasions where creator access in the relevant spaces is not sufficient (e.g. inviting/managing users).
The admin account(s) need not be tied to a single person (and you could even require minimum two people to be present when logging into the user account, perhaps with decentralised partial password access). Maybe the company can have policies for submitting requests for configuration changes to be carried out under the auspices of the workspace admin account.
Overall, I think there is more chance of this feature being implemented, combined with notifications to specific users when the toggle (to “admin mode”) is enabled.
What would your suggestion be for each team member being able to connect their email, slack, google calendar and having a place to keep private tasks in such a way that no-one can see them unless they explicitly decide to share it? And in a way that is simple and easy for them?
The way google workspace and other softwares deal with this is that when a user is deleted you are offered the opportunity to transfer their ownership of files to another user or to delete it along with them.
This is definitely a use case for which ‘private databases’ would be a good solution (as opposed to the discussion above about ‘sensitive databases’) but it would also require a violation of the principle that an admin has access to everything.
In this case, the possibility of losing access to data in the workspace (in this case, the member’s emails) is maybe an acceptable risk to live with, or can be addressed with your suggestion:
Unfortunately, I don’t know if/when private databases will become a thing.
Yes, we already limits the number of admins and apply the least privilege principle. We also always try to work on the daily tasks with a standard account instead of an admin account when the tool permits it.
I know that technically, we can create an account that is not linked to someone. But generic accounts aren’t recommended on the IT world and a backup is always needed. So it means at least 2 additional licenses for 2 people (not a good argument to convince the boss ).
Yes, I voted for it, I think it’s a good step forward. I’m curious to see the feature in action and how the notifications will works if it’s implemented.
Thanks for the time you spent on this subject, I really appreciate this kind of exchange and I really hope that a solution can be implemented in future. Thanks for your work.
Was thinking about databases for emails and calendars not being viewed by any other admins regardless of how few admins you have in workspace, and I realized one of my posts from a long time ago is really a private database issue so linking here: Admin permissions refinement
From an IT Management perspective, I think Fibery’s existing approach is the right one.
Sharepoint/Microsoft and Google Workspace give people the illusion of privacy by restricting IT admins from seeing their data when signed in normally, but that doesn’t mean SuperAdmins cannot have access. This is aligned with the fact that all company resources belong to a company (storage space, software access, etc).
I think having Personal spaces is the current solution, where the admin creates a space that matches a user’s name and gives them creator access. Then the admin account moves this space to “Hidden for Me” - that’s effectively what any enterprise tool does.
However, a key difference between Fibery and such tools and Google/Microsoft is that it is a collaboration tool that often exists outside of a single legal entity structure. It’s pretty common for users to be of different organizations or hiring statuses (contractors, employees, friends etc) and there not to be a hierarchy at all.
My advice to anyone in the US at least is to keep personal accounts separate from work accounts and only consider “personal” at work to be things that are company related.