Admin/owner restrict authority to invite

Is there an option to restrict WHO can invite others to collaborate in an organization?
OR
Is there an option to completely restrict someone outside an organization to access a file, even if he is invited by someone within ? (Admin pains)

Suggestion 1 : Some options for admin to restrict/allow others to invite others.
Suggestion 2 : Some option to restrict organization level files from outside access (even with invite)
Suggestion 3 : A new “FILE_SHARE” Webhook to catch the file share event and do some workarounds to avoid this problem.

6 Likes

Hey @Aby, These features are actually not provided and would be interesting to have them. I suggest that a moderator pass this conversation into Product ideas or even that you create a new topic to clearly present your suggestion.

@Gleb @Bruno_Figueiredo @Josh

2 Likes

Hey @Aby I moved your topic over to product ideas and edited the title just so it’s more an affirmation and not a question.

These are all paint points of mine so I get this.

3 Likes

I am the Director of IT from my organization so this is an issue very close to my heart. One of my biggest issues with Figma is that an administrator cannot control who is allowed to invite individuals into the system. Especially since the inviter can pass on permissions equal or less to their own, and that means an editor costs money. I understand from Figma that this was done intentionally in order to reduce the barrier to collaboration but from an Enterprise controls perspective, I simply cannot have non-admins being able to invite outsiders into the organization. An invited user starts as a “viewer” (even if they are a guest) and then they could self-upgrade themselves to editor if the admin is unable to reduce them to “viewer restricted” before that happens. Since there are no notifications to admins when someone is invited, an admin would literally have to be staring at the log all day every day, and as an IT team of 2, we simply don’t have time for this. I’d prefer to just restrict ability to invite outsiders to admin only, along with certain other capabilities in the system, such as creating teams.

17 Likes

Adding my vote to this. As the IT guy at my small company, I am surprised every quarter by new additions to my Figma Organization. I understand the desire for flexible collaboration in Figma, but from an organizational and cost-oversight standpoint, Figma could use some improvement. Some options that would help with this:

  • Aby’s recommendations
  • In lieu of a revamped invitation process that restricts invitations only to owners/admins, send a confirmation message with a CTA to the owner/admin any time an Editor sends an invitation (this should be pretty standard for any onboarding/procurement)
  • Throw a notice to Editors adding new users that their Organization will be billed for any new Editors (should also be part of any checked onboarding/procurement flow)
5 Likes

Why doesn’t disabling public link sharing in the admin settings disable the ability to invite guests outside of the organization, as well? As a user, it is surprising that if public link sharing was disabled, I can still go ahead and invite guests.

2 Likes

+1 Apart from the issues already mentioned, I’ll add a couple of things that not only baffle me, they are literally stopping our IT department from allowing a wide rollout of Figma at our company:

  • In the Figma Organization settings, one can define from which domains members can be created. It’s a way of capturing all users within a domain, but it also feels like a way of whitelisting a bunch of domains. However, this doesn’t prevent anybody from inviting anybody else, even with a @gmail.com address (or the address of a competitor…)

  • There is this handy possibility of setting a Team within an Organization to “secret”, meaning it is not visible or searchable by anybody other than its members. However, all members can invite anybody (again from any domain) to this team, without the Team owner knowing anything about it. How is this secret?

Look, we all get the point that accessibility is the priority for Figma. Ensuring that more and more people can join Figma without any friction. Great for design but also great for Figma. Nothing wrong with that. But at the VERY least, you could implement a notification system for Team owners/admins for every new invite. And since dreaming is free: add a way for team owners/admins to be able to either accept or reject each invite. Yes, it creates a waiting time and “friction”, but we gotta strike a balance here…

Btw, here’s another thread with similar issues and some cool concept of how a reworked Admin dashboard could look like:

Request finer-grained permission control for organization admin - Product Feedback - Figma Support Forum

Thanks for mention. Just spent one day to remove unintended editors and I’m really exhausted about it. My dear Figma, Please consider these.

wait, so being in an organization plan doesn’t solve the problem of viewers being able to invite anyone from outside the organization?

We just found that any viewer can invite anyone, and thought that changing to an organization plan would solve this.

How is this not a major security issue?

4 Likes


so… is it like this?

4 Likes

Seriously though, they could implement something like what Google Docs has:

Captura de Pantalla 2021-07-27 a la(s) 12.13.59 p.m.

1 Like

Should we request a merge of these two threads?

Hi Figma friends, I’m a big fan of Figma and one of community advocates. Our company is using Figma Organization but there’re some issues confused me. Just throw it below and hope we can discuss it.

Figma is great, the only thing that makes me feel bad is permission control for admin. Although collaboration is the gene of Figma and we should reduce resistance for collaboration anywhere, but those issues of permission control have been making me frustrated as members scaling.

The issues include:

  • Unintended new editors emerge every day.
    We have limited budget so we have to control number of editors and some editors’ permissions are not necessary (Like developers)
  • Unintended guests emerge every day.
    Every one can invite guest into an organization, even the guest. More and more guests get into our organization, which will cause some safety problems.
  • They created empty teams.
    Everyone can create a team. Some people created some teams and then abandoned those teams, which makes it hard to find a specific team for members.

As an admin of our organization I have to remove their permissions or remind them one by one. This work wasted too many time for me. So I’m here, request some features for finer-grained permission control for organization admin.

Below is my concept design for this feature:

Also, can we have the feature to disable a viewer self-upgrade themselves as an editor? Or approval action needed?

This is a concept from my experience but more considerations and details need to be included, but I hope Figma can put it in a high priority.

Thanks.

10 Likes

I feel there needs to be two levels of admin. Everything you mentioned here and add a second level of an admin who is not at the organizational level; however they can add projects and Users. Then an editor does not have the permission to add users or create a project.

Editors appearing is really concerning. I have to manually check this most days to ensure we wont get charged

5 Likes

Yeah, this can also solve this.

:sob: yeah, so painful.

+1

For anyone watching this, this is a related thread expressing similar concerns:
Admin/owner restrict authority to invite - Product Feedback - Figma Support Forum

To give you an idea of the level of workaround-ism we’ve had to establish, this is the form with which we tell everybody to request access to Figma. A very manual process that doesn’t technically prevent any of the aforementioned risks:

1 Like

We also established a process for new editors and implemented a Chrome plugin to recognize unintended editors, but it can’t reduce too much work.