Deal Privacy Security Bug

ckoch1
Member

So we have Deals set to private viewing only because we have clients who are competitors and our Account Executives cannot have access to competitor client Deals-- including their names which often contain sensitive information.

 

On the Deals page it works fine.

 

However, anyone can click on any company and on the right side under the "Deals" tab they can see every deal on that Company when they shouldn't be able to see them.

 

This is a huge security concern for us.

 

hubspot_baddddd.png

 

 

0 Upvotes
3 Replies 3
natsumimori
Community Manager

Hi @ckoch1 , thank you for posting your query in the Community.

 

As long as a user has both deal view permission and company view permission, this user is able to view all of the associated deal records in the right column of the company record. 

 

If you'd need to strictly limit each user's view permission for deals, I'd recommend creating separate HubSpot accounts so that the users can only access to their deals and company data.

0 Upvotes
ckoch1
Member

@natsumimoriThat seems wrong.  We have Deals security set to "owned only".  Why does clicking on a company suddenly ignore that security setting.  We have competitors as clients-- a company being a client isn't a security concern so we let everyone see all companies.  But Deal names can contain sensitive information.

0 Upvotes
natsumimori
Community Manager

Hi @ckoch1 ,

 

I underdtand your confusion, let me explain with example:

  1. User A and User B have "Owned only" view permission for deals and they have "Everything" view permission for companies
  2. User A onws a deal X, User B owns a deal Y
  3. Both deals are associated with a company Q
  4. When User A opens the company Q record, A can see there are 2 deals assocaited with this company, which is deal X and deal Y
  5. Same for when User B opens the company Q record

At this time, this is how the user permission setting works and it is not a security setting. Therefore, to strictly hide some data from a certain users, I'd recommend creating a separate account.

0 Upvotes