LIST TOOL: Allows User to See Records They are not SETUP TO SEE!!!!!!

Highlighted
New Contributor

List processing view showing details of contacts not owned / assigned

 

When creating a list, users are able to see all contacts while the list processes even though their user permissions explicitly segments to 'owned only'. This scenario occurs during the list loading period. The goal is for the processing to only display contacts based on specific user permissions set in the account settings.

Reply
0 Upvotes
9 Replies 9
Community Manager

Hi @AbhijeetGautam,

 

As you are currently working with HubSpot technical Support regarding this matter, that will be the most direct way to continue working towards resolving this issue.

 

Thank you,
Jenny


Did my post help answer your query? Help the Community by marking it as a solution
Reply
0 Upvotes
New Contributor

@jennysowyrda Hi Jenny, Support has not provided the necessary transparency that would've been expected by any Enterprise customer (like myself). I've been informed that the issue is being reviewed by HUBSPOT Product Development by our on-boarding specialist, however the same is not documented by Support, nor is there any reference to any Defect ID or Bug# that should be the norm. Most vendors like Salesforce, Oracle, Microsoft provide these as a matter of transparency & best practises. In fact, not letting us in on what's happening behind the scenes is deeply frustrating to our Business.

Reply
0 Upvotes
Community Manager

Hi @AbhijeetGautam,

 

Thank you for your feedback and I am sorry you have not felt updated in regards to the status of your ticket. It looks like your ticket was updated earlier today with more information and a status update. 

 

If you would like to discuss the architecture of HubSpot's Support system further, I would recommend connecting with your Account Manager, as they can speak in more detail around the set up, expectations, as well as ensuring that your concerns are thoroughly addressed. It is always a top priority to keep our customers informed and working towards a resolution, so if you have felt differently, we want to make sure those concerns are addressed. 

 

Thank you,
Jenny


Did my post help answer your query? Help the Community by marking it as a solution
New Contributor

@jennysowyrda I've reviewed support's update. Whilst it is positive to note that HUBSPOT Product Development is seeking to fix the cosmetic issue of processing fairly quickly, the crux of the issue (Accidental send of emails without permission) still remains and we urgently require some kind of a timeline/specificity surrounding this issue. If Product Development can be compelled to release a one-off patch/fix that affects only our instance, that would negate the size of this change on your platform.

Reply
0 Upvotes
Community Thought Leader

Could be wrong, but based on our understanding, the HubSpot Marketing Lists tool is integral to HubSpot Marketing automation. While the tool may be made available for use by HubSpot users of other tools -- namely HubSpot Sales Hub for use in View Filters, it's primary obligation is to HubSpot Marketing automation. Granting access at this level is intended to superseded lower-level permissions settings.

 

hubspot-marketing-access-permissions-lists.pngHubSpot Marketing Lists tool permissions toggle
The HubSpot Lists tool is designed to group collections of contacts who meet specific criteria, and to make those contacts available for use in Workflows, Marketing Emails, integrations, etc. Restricting the visibility of contacts within the Lists tool to only those contacts for which a given HubSpot user CURRENTLY has access would ...


- Make verification of list members all but impossible for anyone other than Super Admins.
In other words, limiting visibility would mean the author of a list would really never know how many (or which) members SHOULD actually be included unless they were a Super Admin with unrestricted access to all contacts.
(undesirable)


- AND -


- Interfere with basic Lists tool functionality in Marketing Email sends by yielding different 'permissions-based' results depending on who's sending the Marketing Email.
In other words, limiting lists in this user-centric, permissions-based way would mean the actual recipients of a given Marketing Email would, in part, be made dependent on WHO triggered the send.
(undesirable)


As such, the HubSpot Marketing Lists tool permissions toggle is an 'all or nothing' toggle -- i.e., once granted permission at this level of the HubSpot Marketing tool, a given HubSpot user will have unrestricted visibility to Contacts from within the Lists tool which is consistent with Lists as used by other parts of the HubSpot platform.

- see HubSpot User Permissions Guide

 

#nlmtt #nlmtu

Hope that helps.

 

Best,
Frank

 

MFrankJohnson-dot-com-HubSpot-Community-banner-gif-v20190817

New Contributor

@MFrankJohnson That's a detailed description of the problem statement. The List Tool (or any tool) that is used within (any mature enterprise platform) HAS TO (as a matter of design principle, integrity) adhere to the overlying SECURITY MODEL on which users are setup. Allowing users to VIEW/EDIT a subset of contacts & then somehow allowing them a BACKDOOR (via the LIST TOOL) to SEE EVERYTHING, is a security nightmare (to put it lightly). 

 

This is a loop-hole in HUBSPOT that needs to be mitigated at the earliest if you don't want customers jumping OFF the platform. 

 

Below are just some of the FEATURE-LOSSES because of turning OFF the Lists feature given this gaping security hole

 

1. Ease of segmentation

  • It’s just so easy to create active lists of anyone who fulfils certain criteria to send targeted messaging to segmented portions of the database

2. Accuracy

  • Once these active lists are created, it becomes easy to select them again and again e.g. in a workflow. Although you can still use the same criteria to enrol someone in a workflow (rather than using the list tool to enrol) there is a greater chance for human error to miss a crucial filter/criterion.

3. Loss of A/B testing

  • Without lists one cannot use A/B testing – this sounds minor but it’s a powerful feature that can dramatically improve email open rates. 
Reply
0 Upvotes
New Contributor

HUBSPOT has confirmed this security loop-hole will be resolved via List Partitioning in the future.

Reply
0 Upvotes
New Contributor

@MFrankJohnson That's a detailed description of the problem statement. The List Tool (or any tool) that is used within (any mature enterprise platform) HAS TO (as a matter of design principle, integrity) adhere to the overlying SECURITY MODEL on which users are setup. Allowing users to VIEW/EDIT a subset of contacts & then somehow allowing them a BACKDOOR (via the LIST TOOL) to SEE EVERYTHING, is a security nightmare (to put it lightly). 

 

This is a loop-hole in HUBSPOT that needs to be mitigated at the earliest if you don't want customers jumping OFF the platform. 

 

Below are just some of the FEATURE-LOSSES because of turning OFF the Lists feature given this gaping security hole

 

1. Ease of segmentation

  • It’s just so easy to create active lists of anyone who fulfils certain criteria to send targeted messaging to segmented portions of the database

2. Accuracy

  • Once these active lists are created, it becomes easy to select them again and again e.g. in a workflow. Although you can still use the same criteria to enrol someone in a workflow (rather than using the list tool to enrol) there is a greater chance for human error to miss a crucial filter/criterion.

3. Loss of A/B testing

  • Without lists one cannot use A/B testing – this sounds minor but it’s a powerful feature that can dramatically improve email open rates. 
Reply
0 Upvotes
New Contributor

FORUM V2.png

Reply
0 Upvotes