Hi @Slawek Dejneka
if you are on a paid plan and external users can still see boards in the team, here are a few things to check:
-
If you invited the users via email, they might be added as full members rather than guests or visitors. Please verify the type of access they were granted.
-
If you intended to invite users as guests or visitors, please follow the steps outlined in these articles to ensure proper access control:
- For me to check further, could you please share a short video demonstrating how you invite the external users to the board?
If you have further questions or need assistance, please let us know. We're here to help!
HI,
I have followed the instructions from these links. I have invited a new test external user from within the Starter Plan board (as a Guest I think as there’s no option to choose what type of user it will become apart of permissions level. Here I chose ‘Edit’.), and then Miro gave me just single option to add that user to the team. This means that the invited user will see all other boards in the team. There was no option to not choose adding that user to the team.
This is serious security flaw in design as many sensitive information may easily leak outside the organisation without any notifications.
For the other board which I’ve shared, I chose a Viewer in permission settings, and fortunately this time user was able to see and comment only with no access to any other boards. This is however, very difficult to maintain as non-IT users can easily choose Edit in permissions settings not expecting this problem.
Also, when you work with the external users, usually you want to work on the same board together in real-time. Then those need to be Guests with Edit permissions = can see all other boards. That’s a huge security flaw that comes form design phase.
Is there any way to prevent it?
Slawek
Hi @Slawek Dejneka
Thanks for sharing these details! I understand your concern regarding the security of sharing boards with external users.
On the Starter plan, Guest users should only have view and comment permissions, not edit access. If an external user was able to edit the board, it suggests they were added either as a Full Member or a Visitor via a public link. Here are a few points to clarify:
- If you invite users as Full Members, they will have access to all boards in your team.
- Guests can only have view/comment permissions on specific boards.
- Visitors (through a public link) can be granted editing rights but only for that specific board, not across the entire team.
It sounds like the users were likely added as Full Members due to the option to "Edit," which is not available for Guests. Another factor why this tells me that the external users were invited as full member because of: “users can easily choose Edit in permissions settings”
To avoid this in the future:
- For real-time collaboration with external users without exposing all boards, you can invite them as Visitors using a public link (with edit permissions only on the shared board).
This will help ensure sensitive information remains secure. If you need further clarification or have more questions, feel free to ask!