Figma Support Forum

Admin/owner restrict authority to invite

I’m quite baffled to learn that this essential administration feature / setting is not yet part of the organizational plan… For organizations it is basically a must to have control over who gets access. And this is not only about billing, but also about sensible data and projects which you don’t want everyone to get access to that simple.

Sure, Figma need to consider it.

Here is a fun little thing that can happen. A non-admin can invite an external person to your organization, they can grant themselves editor permissions, and then they can just do whatever they want to any of your files and materials without an admin ever knowing. It’s a terrible model. I’ve written feedback asking for this exact feature before. Please listen to this proposal.

2 Likes

How could Figma complete their “SOC 2 Type II audit” with this serious security issue? Google Docs doesn’t have this problem, by means of a simple feature:

Captura de Pantalla 2021-07-27 a la(s) 12.13.59 p.m.

2 Likes

Today is another frustrating day. An intern created tooooooooooo many teams instead of project. It’s driving me crazy!!!

:exploding_head: :exploding_head: :exploding_head:

+1 for this feature it’s super important
I don’t want to have to manually set viewers to “viewer restricted”, and I’m not a fan of them creating their own teams or branches

Should we request a merge of these two threads?

Yes, but how to merge?

I think that you have to ask the mods to merge them

@Gleb Could you help us merge these two thread? Thanks.

done!

3 Likes

Great, Thanks @Gleb .

Notion’s share panel is what I really want.

I also +1 for this.

  • I don’t want Guests to invite anyone.
  • I don’t want anyone to upgrade without admin’s approval.
2 Likes

This issue negates literally all security since security settings are not applied to guests. Even if your organization is set so you MUST use SAML to log in, guests don’t have to follow that rule, and guests can self promote, and can invite other guests, and create teams, and do anything they want and there is no way to stop this.

Again, let me reiterate THIS LITERALLY NEGATES ALL SECURITY. GUESTS ARE NOT EFFECTED BY YOUR SECURITY SETTINGS BUT STILL HAVE FULL EDIT ACCESS.

2 Likes

It also appears that while I can turn off public link sharing, I can’t turn off the ability to publish a document publicly to the community site.

2 Likes

Another disaster week, I spend almost one week to remove almost 150 unintended editors from our organization one by one, have to figure out which one really need editor access. The love for figma is gradually fading away. :weary:

Sad, very sad.

2 Likes

So there seems to be a solution for this, at least in the professional plan:

Captura de Pantalla 2021-09-16 a la(s) 1.51.05 p.m.

If you uncheck that option, then viewers can no longer invite people without your authorization. But the problem then is that developers can no longer export assets :man_facepalming:

This won’t solve it. You can’t ask everyone to uncheck it in an org with thousands of members, don’t even say so many members set their files as everyone can edit (this is the main reason that adds some unintended editors). :rofl: