Totally agree! Great that it's in planning. Any idea when can we expect a solution for this? we are looking for a new crm system and we did consider to use Hubspot CRM for this. But since this is one of the major risks ( sales colleagues interfering with marketing files and contact records) we are looking for an other solution. Would be great if this risks was taken out and we could use Hubspot CRM.
Also, FORMS! How are ALL Forms accessible to 100% of users, even with fully restricted permissions.
Whats the points of being able to assign Team permissions if not to restrict people access to only what they need?
How can you consider yourself compliant with various privacy laws when you effectively make it impossible to restricts staffs access to ONLY the information they need for their position and role?
We just signed onto a year Sales/Marketing Pro plan and I'm pretty horrified by this.
Upvoting this on behalf of a customer. It's good that there's a permission for Files at the moment to restrict users from uploading new files, or editing/deleting current ones.
However, in bigger teams, it would greatly help to have a permission to restrict users from viewing these files altogether, if these users should be given the most basic access to the HubSpot tools they're using.
Even an option to limit file visibility by folders/files would be super useful!
I know that HubSpot have lauched a new permission "Files", to limite the access to the documents.
"Files: toggle the switch to grant the user to add, edit, and delete files from the file manager. Users without this permission can still view files in the file manager."
However it's not enough!
You need to review this permission because the users can still "Download" the file in the file menu and "Export all Files (ZIP).
Please see below the images.
User_can_Download_File
User_can_Export_all_Files_ZIP
Please review this permission as soon as possible!
Even viewing files is a serious security issue, as the contents of the file may be sensitive. This needs to be addressed ASAP, and as a new Hubspot customer, I am shocked that the platform has been built this way. Can we have an update on this? Is there a timeline?
I have also been waiting on this feature. We have a solid Sales team that wants to use images in some of their outreach but we can't run the risk of important files being deleted or overwritten. Ideally we have a single folder that we can point specific Roles towards in the Permission settings.
@hubspot product team can you update on the status of this feature in planning? Is it coming to Beta soon? Limiting access by role on the folder level is critically important.
Serious security gap in access to documents, which should be controlled by role and team. This would never be running in our own SaaS application to more than two years after discovery.
Are you really serious about making something that matches our efforts?
You really wonder ... this is a huge break of basic authorisation. As a SaaS software vendor mylself I would stop all other development until and related security issues were solves.
I am not in any way impressed by neither the user roles in HubSpot nor the focus (or more precisely lack of) on getting these and similar issues fixed.
Working on this for years now ... and not a single thing you can trust from HubSpot staff.
supporting this idea on behalf of a customer - we could now limit users' access to the Files tool but users with read-only access could still export files from the account.
After 2 years of 'in planning' this really needs to be fixed ASAP! We were considering Enterprise, but then still every user has access to every file. This is a major security issue and is now really slowing us down.
Nice marketing but, HubSpot is nowhere near being a CMS that is viable to be used with any files we want to manage other than plain stuff that we might already have open to the people through methods such as CTAs, Buttons or Links to these files.
Have a look at this for the 10000 foot plan that is great in the boardroom, not so much in daily reality right now:
Going beyond the security issue, most crosslinking in HubSpot is controlled such that you cannot delete things that other things rely on. If I build a list using other lists, I am prevented from deleting lists that are being used. If I link a web page to another web page, or a form is used in XX places, it is well well controlled to prevent me from deleting things that are in use.
Today I created a simple test page where I had a CTA, link and Button in a page plus an email all pointing to a PDF file. I deleted the PDF file. Everything broke. Before you use files like PDF that are used by MANY people in their web pages since they open nicely into all modern browsers, make sure you understand and track who can do what with the PDFs and make sure that when you want to swap in a new version of the document, pick the document, use the "replace" option on the right side and do it that way. If you load a new file up and want to point to it, you have to go back and manually update ALL the places that pointed to that PDF if you do no use the replace option.
HubSpot = Getting closer but not quite ready for prime time CMS
This is very disturbing. We have thousands of attachments in our customer service tickets, like contracts, personal information, billing information, that should not be visible to anyone else in our organization.
We've just discovered a few days ago that, literally, anyone can download ALL the files. Disturbing.
I have another topic where I discuss about the inability to restrict users from deleting activites.
At this point I really wonder if Hubspot care at all with the security of the stored information and documents.