Admin/owner restrict authority to invite

Hey @Aby, These features are actually not provided and would be interesting to have them. I suggest that a moderator pass this conversation into Product ideas or even that you create a new topic to clearly present your suggestion.

@Gleb @Bruno_Figueiredo @Josh

Hey @Aby I moved your topic over to product ideas and edited the title just so it’s more an affirmation and not a question.

These are all paint points of mine so I get this.

I am the Director of IT from my organization so this is an issue very close to my heart. One of my biggest issues with Figma is that an administrator cannot control who is allowed to invite individuals into the system. Especially since the inviter can pass on permissions equal or less to their own, and that means an editor costs money. I understand from Figma that this was done intentionally in order to reduce the barrier to collaboration but from an Enterprise controls perspective, I simply cannot have non-admins being able to invite outsiders into the organization. An invited user starts as a “viewer” (even if they are a guest) and then they could self-upgrade themselves to editor if the admin is unable to reduce them to “viewer restricted” before that happens. Since there are no notifications to admins when someone is invited, an admin would literally have to be staring at the log all day every day, and as an IT team of 2, we simply don’t have time for this. I’d prefer to just restrict ability to invite outsiders to admin only, along with certain other capabilities in the system, such as creating teams.

Adding my vote to this. As the IT guy at my small company, I am surprised every quarter by new additions to my Figma Organization. I understand the desire for flexible collaboration in Figma, but from an organizational and cost-oversight standpoint, Figma could use some improvement. Some options that would help with this:

• Aby’s recommendations
• In lieu of a revamped invitation process that restricts invitations only to owners/admins, send a confirmation message with a CTA to the owner/admin any time an Editor sends an invitation (this should be pretty standard for any onboarding/procurement)
• Throw a notice to Editors adding new users that their Organization will be billed for any new Editors (should also be part of any checked onboarding/procurement flow)

Why doesn’t disabling public link sharing in the admin settings disable the ability to invite guests outside of the organization, as well? As a user, it is surprising that if public link sharing was disabled, I can still go ahead and invite guests.

Hi Figma friends, I’m a big fan of Figma and one of community advocates. Our company is using Figma Organization but there’re some issues confused me. Just throw it below and hope we can discuss it.

Figma is great, the only thing that makes me feel bad is permission control for admin. Although collaboration is the gene of Figma and we should reduce resistance for collaboration anywhere, but those issues of permission control have been making me frustrated as members scaling.

The issues include:

• Unintended new editors emerge every day.
  We have limited budget so we have to control number of editors and some editors’ permissions are not necessary (Like developers)
• Unintended guests emerge every day.
  Every one can invite guest into an organization, even the guest. More and more guests get into our organization, which will cause some safety problems.
• They created empty teams.
  Everyone can create a team. Some people created some teams and then abandoned those teams, which makes it hard to find a specific team for members.

As an admin of our organization I have to remove their permissions or remind them one by one. This work wasted too many time for me. So I’m here, request some features for finer-grained permission control for organization admin.

Below is my concept design for this feature:

Also, can we have the feature to disable a viewer self-upgrade themselves as an editor? Or approval action needed?

This is a concept from my experience but more considerations and details need to be included, but I hope Figma can put it in a high priority.

Thanks.

I feel there needs to be two levels of admin. Everything you mentioned here and add a second level of an admin who is not at the organizational level; however they can add projects and Users. Then an editor does not have the permission to add users or create a project.

Editors appearing is really concerning. I have to manually check this most days to ensure we wont get charged

Yeah, this can also solve this.

😭 yeah, so painful.

+1 Apart from the issues already mentioned, I’ll add a couple of things that not only baffle me, they are literally stopping our IT department from allowing a wide rollout of Figma at our company:

• In the Figma Organization settings, one can define from which domains members can be created. It’s a way of capturing all users within a domain, but it also feels like a way of whitelisting a bunch of domains. However, this doesn’t prevent anybody from inviting anybody else, even with a @gmail.com address (or the address of a competitor…)

• There is this handy possibility of setting a Team within an Organization to “secret”, meaning it is not visible or searchable by anybody other than its members. However, all members can invite anybody (again from any domain) to this team, without the Team owner knowing anything about it. How is this secret?

Look, we all get the point that accessibility is the priority for Figma. Ensuring that more and more people can join Figma without any friction. Great for design but also great for Figma. Nothing wrong with that. But at the VERY least, you could implement a notification system for Team owners/admins for every new invite. And since dreaming is free: add a way for team owners/admins to be able to either accept or reject each invite. Yes, it creates a waiting time and “friction”, but we gotta strike a balance here…

+1

For anyone watching this, this is a related thread expressing similar concerns:
Admin/owner restrict authority to invite - Product Feedback - Figma Support Forum

To give you an idea of the level of workaround-ism we’ve had to establish, this is the form with which we tell everybody to request access to Figma. A very manual process that doesn’t technically prevent any of the aforementioned risks:

Btw, here’s another thread with similar issues and some cool concept of how a reworked Admin dashboard could look like:

Request finer-grained permission control for organization admin - Product Feedback - Figma Support Forum

Thanks for mention. Just spent one day to remove unintended editors and I’m really exhausted about it. My dear Figma, Please consider these.

We also established a process for new editors and implemented a Chrome plugin to recognize unintended editors, but it can’t reduce too much work.

I’m quite baffled to learn that this essential administration feature / setting is not yet part of the organizational plan… For organizations it is basically a must to have control over who gets access. And this is not only about billing, but also about sensible data and projects which you don’t want everyone to get access to that simple.

Sure, Figma need to consider it.

Here is a fun little thing that can happen. A non-admin can invite an external person to your organization, they can grant themselves editor permissions, and then they can just do whatever they want to any of your files and materials without an admin ever knowing. It’s a terrible model. I’ve written feedback asking for this exact feature before. Please listen to this proposal.

wait, so being in an organization plan doesn’t solve the problem of viewers being able to invite anyone from outside the organization?

We just found that any viewer can invite anyone, and thought that changing to an organization plan would solve this.

How is this not a major security issue?

Seriously though, they could implement something like what Google Docs has:

How could Figma complete their “SOC 2 Type II audit” with this serious security issue? Google Docs doesn’t have this problem, by means of a simple feature:

Today is another frustrating day. An intern created tooooooooooo many teams instead of project. It’s driving me crazy!!!

🤯 🤯 🤯

+1 for this feature it’s super important
I don’t want to have to manually set viewers to “viewer restricted”, and I’m not a fan of them creating their own teams or branches