Help get this topic noticed by sharing it on Twitter, Facebook, or email.
I’m concerned

Do you log account activity and can changes be undone?

Hi guys,

I've just had to give my accountant full access to my account in order for them to complete the end of year filing.

As someone who designs and builds systems for a living, it makes me incredibly nervous to give an external user CRUD access to absolutely everything in my account (I mean do they really need to be able to manage users? Can't they just have read only access?).

I trust my accountant implicitly, but they are human at the end of the day, and I'm effectively handing over the keys to the kingdom and hoping that they don't break anything, or get hacked themselves.

Anyway, my question is - what contingencies are in place should anything happen? Is it possible to undo a potentially malicious action (intentional or not), caused by a user I have willingly granted full access to?

I understand you do not intend to make permissions more... robust. That's a real disappointing stance to take considering how critical data security is (or should be). In fact, it's downright concerning given the number of data leaks / security breaches these days.
2 people have
this question
+1
Reply
  • Hi thp,

    Thanks for getting in touch with your comments.

    Read-only access is something that we're looking into, with a view to understand how this could work and where it might be applied. Our current plan is to experiment with that this quarter, with a view to building it at the beginning of the new year.

    In terms of security and the contingencies in place if anything should happen, we're working through some of these concerns now and are looking into increasing our security management. We've recently released a new security section on our settings page and added a new feature to show all the active sessions for a current user, including the user's browser information, last accessed time and location details. Users can logout from all other sessions, or logout from individual sessions from within that area. 

    Soon we'll be releasing a new feature to show the user's login history, and the account owner will be able to see the login history for all users of their account, which will enable you to review when your accountant has logged in. And the final part of this puzzle - the bit that you're asking about above - is to build an audit trail, where you'll be able to see everything that a user has done and when. This one is a little further out on the plan, but we're currently hoping this will be released early next year. Once this is in place, you'll be able to see exactly what actions were taken, and therefore rectify any malicious actions. 

    Apologies that I can't be any more help just now, but I do hope that helps in the meantime.

    Many thanks,
    Ruth
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned happy, confident, thankful, excited sad, anxious, confused, frustrated

  • I’m satisfied
    Thanks Ruth, good to know there are plans in place to address this going forward.

    Kind regards
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. sad, anxious, confused, frustrated kidding, amused, unsure, silly indifferent, undecided, unconcerned happy, confident, thankful, excited