@ashrafsam I noticed at the top we can click our name, and a context menu appears saying {Name's} Project. Is there any way to create additional projects? I couldn’t see how.
The reason I ask is that I noticed when adding team members, it doesn’t create a separate workspace. This can be lethal for numerous reasons:
- They have access to all of your current flows. Some of which you may want to remain hidden.
- In each flow, they have access to all of your previous connections, meaning they can select files from any platform you have linked up to. While not an immediate threat, they could sabotage previous documents in your Google Drive if they became disgruntled.
- They can also select any of your connected API keys for things like ChatGPT, where it would make more sense for them to enter their own.
Are you aware of this? Even if we can only create one workspace/project, we should at least be able to assign users to a specific folder, and additional permissions should let us choose what they can access and cannot.
Kind regards,
David Gunner
EDIT
This also leads me to believe that, in theory, the person I added to my team if they had a sheet in their Google Drive called logins. Provided they have linked up to their Google Drive in ActivePieces, although I can’t directly access their drive, I could select that sheet from their connected folder. I could then use something like GetRows and collect all of that data from their sheet and then have it output to a new sheet in my Google Drive. I understand that you would likely not have this problem from someone on your team, but it seems like a significant security flaw.
Unless I am mistaken?
Further Edit
I wanted to test my theory, so I created a free account with an additional email address. I added my other email as a team member on my main account, with EDITOR privileges.
(NOTE: This answered my question above about being able to switch through projects; it seems that you can choose between them).
Step 1:
On my main account, I created a Google Sheet called ‘logins’ that contains some dummy data.
Note how it is also set to private/only accessible by me.
But because my drive is linked to my main account to give access to ActivePieces, I can now log in to my other email account (the free one with EDITOR privileges), to which I was added as a team member.
From here, I can create a new flow.
As you can see, I can instantly connect to the primary account holder’s Google Drive. I can access their private files (ref: logins sheet) and then use a Google Sheet Trigger/Action to scrape their data (as seen in the sample data output).
The same applies to the primary account holder’s OpenAI API keys.
These are only two things, but they seem like a security flaw. I know there is the option of VIEW ONLY, but that doesn’t seem so practical if you want to allow team members to make flows. Another example might be if I had my email clients connected: that user could access my emails and send emails out as me.
I think that there needs to be more control. Perhaps it would be better to keep projects/workspaces separate and allow sharing of specific flows (but not connections) between workspaces. (Think how you can add a user to a Google Sheet; perhaps this would be a good approach for flows. You can add a user to a flow.)
And maybe the ability to switch team members’ account permissions. If I invite someone as a team member with EDITOR permissions, I cannot switch their permissions to VIEW ONLY or ADMIN without deleting them from my team and inviting them again.