We recently had an issue discovered by a client that any user that can add items to the managed items tab can see all the items in the related workspace.
This is a problem because the user can see items that they do not have permission to see.
All that they can see is the descriptor of the item but that alone can contain sensitive information like the part number may be recognizable as a competitor's part.
The response from Autodesk Support was: While adding items to any tabs, all relevant items in the chosen workspace will be displayed. The list in the Add pop-up window is not filtered by user permissions. This includes adding to the Managed Items tab also.
This response implies it is not just affecting the managed items tab.
I think this is a major security flaw that should be fixed as a critical bug as soon as possible.
Our largest client opened an emergency support request with us when they discovered this with a supplier.
This could pose a legal problem for them which could have revealed competitive intelligence between suppliers.
I can see it becoming a problem for other clients as well and I recommend warning those who are at risk.
I think it is reasonable to say that user permissions should be respected/enforced everywhere on the site.
User security is a critical aspect of multi-business collaboration.
Fusion Manage is marketed as a collaborative platform and Change Orders as well as Supplier management are selling points for manufacturers.
