Background:
One of our users was wondering how come he was able to see a team of which he was not a member (although no boards in it).
The cause was that our team settings allowed users to request membership in a team, which is the default setting, and he had somehow submitted a request to join it.
This posed a security risk for us, because we have consultants working on our projects, and we don’t necessarily want them to know what other teams we have.
We switched off the setting after some very nice support from Miro.
Proposal:
- All security-related settings in Miro Enterprise should default to the most secure option.
- It should be easy to relax the security settings, e.g. by being presented with a control panel whenever creating a team, and with the controls easily available when administering the team.
- There should be a document that lists all the security-related settings Miro uses, what they do, and what the defaults are.
This would be in line with known good information security practices and prevent accidental disclosure of data because admins forgot -- or didn’t know they need to -- enable the higher-security options on the settings.
