21 Replies Latest reply on Aug 26, 2015 1:57 PM by kimberly.ray

    Control Sharing of content within Private or Secret Groups with Group non-Members?

    ben.taub

      If I share content inside  a Private or Secret Group with a user who is not a member of that group - instead of a fail warning, I am presented with a message that says"This user does not have access to the item you're trying to share. An email with a PDF attachment will be sent to this user".

       

      This would seem to violate the Prime Directive of Private and Secret Groups - namely that the content inside them is walled off from non-Group Members.

       

      Is there a System Property or something else in the Admin Console that can turn this off, so the user gets a hard fail if you try to share with a non-member - without turning of Sharing completely?

       

      Thanks,

      Ben

      Sharing.png

        • Re: Control Sharing within Private or Secret Groups?

          Odd behavior indeed.  I ran a little test on my home system.  Yes; the message that an email will be sent with the pdf attachment still appears, but it also appears that no email is actually ever delivered.  Perhaps the "fail" actually occurs behind the scenes.  Is this logical?  Not to me; but hey; what do I know?    If nothing else, it is confusing and would certainly reduce a users confidence level in the true "walled off" nature of those groups.

           

          I do have something of a question though.  What is the use case for sharing something between users who are already members of the same private or secret group?  By default when a user joins a group they automatically follow it thus being made aware of all activity within the group.  When would the need arise to explicitly share something (again) with another user within the same group?  I guess if it is a very large group (1000s of users) it would be possible to miss a notification - and of course, users can join a group and then turn manually turn off the following; but I'll bet that is rarely done in practice.

           

          I am not aware of any system property or admin console setting to change this behavior.   It's interesting to note that @mentioning of non-members within private and secret groups does not fail either - it still allows the non-member to be @mentioned, but the message displayed to the end user explicitly states that the @mentioned user will not be able to see the content nor will they be notified that they were @mentioned because they are not a group member.  That at least makes more sense.

           

          Here is what I would do - log an actual Support ticket against this issue to see if this is indeed the way Jive intends for this functionality to work.  If it turns out that it is; I would file an enhancement request to have this changed to a true hard fail when attempting to share with non group members.

            • Re: Control Sharing within Private or Secret Groups?
              John Schwiller

              No time to hunt back for dim discussions with olivia.teich (?) on this, but from memory it is allowed because that's what the sender 'wants to do'. Her alternative is to create a PDF and download it and email it and we probably don't stop that.

               

              No time to check, but I'd be worried if the sent email exposed the name of the secret group (although of course that could be passed on manually too).

               

              Re

              violate the Prime Directive of Private and Secret Groups - namely that the content inside them is walled off from non-Group Members.

               

              Yes we don't let them in to 'prowl around', but sending them a particular piece of content is not the same. At the end of the day we have to trust our users 'to an extent' IMO.

              • Re: Control Sharing within Private or Secret Groups?
                ben.taub

                Thanks Matt makes sense to me as well.

                 

                I agree that the need to share within a Private or Secret group is limited

                at best.  However, I think "aiding and abetting" sharing outside of a

                Private or Secret Group is odd when measured against the trust in the

                system that is lost.

                 

                I would rather see a message along the lines of "The person you are trying

                to share this content with is not a member of this Private or Secret Group.

                Click here to send a message to the Group Administrator asking them to

                either a) be granted viewing access to this content or b) be invited to

                join this Group as a full Member."

                 

                I could always do a "View as PDF" and then save it to my desktop and then

                email it to someone, so to a certain extent, what I am talking a out is a

                fig leaf, but that does not mean that Jive should be making it easier to

                violate the principles of the community.

                 

                It is more about functionality being in alignment with stated development

                principles.

                 

                Ben

                  • Re: Re: Control Sharing within Private or Secret Groups?

                     

                    However, I think "aiding and abetting" sharing outside of a

                    Private or Secret Group is odd when measured against the trust in the

                    system that is lost.

                     

                    Since I don't think that the email actually ever gets sent (but I do need someone other than myself to independently verify this) "aiding and abetting" might be a wee bit harsh but I do think that this is a case of "the road to hell being paved with good intentions" or "Jive took the easy way out".  By letting the actual behind the scenes permissions framework determine whether or not the email actually ever gets sent, Jive doesn't actually promote this type of data leakage but to your point, by not posting either a hard fail message or some other options we definitely allow users to think that the system is insecure - which is the crux of the issue.

                     

                    I would rather see a message along the lines of "The person you are trying

                    to share this content with is not a member of this Private or Secret Group.

                    Click here to send a message to the Group Administrator asking them to

                    either a) be granted viewing access to this content or b) be invited to

                    join this Group as a full Member."

                     

                    a) would likely be difficult to implement given our current architecture since there are no real security attributes tied to actual content objects (security over who can view content is handled by the container (space, group, etc.)    b) sounds like it would be a relatively non-invasive customization to implement though.

                    I could always do a "View as PDF" and then save it to my desktop and then

                    email it to someone, so to a certain extent, what I am talking a out is a

                    fig leaf, but that does not mean that Jive should be making it easier to

                    violate the principles of the community.

                     

                    It is more about functionality being in alignment with stated development

                    principles.

                     

                     

                    Agree 100% with you on that.   I would definitely create a case to verify that the email does not get sent and also post your a) and b) above as suggestions for enhancements or possible customizations.

                  • Re: Control Sharing within Private or Secret Groups?
                    tmaurer

                    I frequently share items with people who are members of a group. I am personally a member of MANY groups and so often overlook individual items. Also, sometimes I have some extra context I want to add to something that is posted. For example, I might share this thread with someone at Jive to make sure they had seen it (much the way John Schwiller has done below). Or I might see an idea someone has posted, and want to share it with Ted (my coworker) and suggest that we try something slightly different in our community.

                  • Re: Control Sharing within Private or Secret Groups?
                    ben.taub

                    To matthew.richmond and John Schwiller

                     

                    I believe strongly in not standing in the user's way when it comes to functionality. However, in the federal space we already have barriers to engagement including workforce demographics and general systems distrust.

                     

                    I think that there is a subtle, but very important distinction as regards the  message given to a user between "We're not going to thwart you actively, if you really feel the need to share this content" - (View PDF, download and email) versus "We are going to actively assist you in Sharing this content beyond the other folks in your community, who have all asked or decided that walling off this content - at least for now - was more important than letting others see it".

                     

                    Not to restate this too many times, but this just seems like a case where the functionality runs contrary to the primary use cases we have - and Jive has always discussed as well, for Private or Secret communities to start with.

                     

                    I think the "External Communities" capability currently available in Jive Cloud is a great example of extending functionality without violating the design principle. I can invite someone to a participate in A group without them seeing all the other groups in the site.

                     

                    In personal social terms, the UPS driver is welcome to be in my foyer while he is delivering my package, but if he moved to my deck and asked for a drink or started wandering around in the upstairs bedrooms, it would be a huge violation of social protocol.  He or she would even find it about creepy if I were the one to invite them to do so.

                     

                    Ben

                    • Re: Control Sharing of content within Private or Secret Groups with Group non-Members?
                      ben.taub

                      All,

                      I updated the title of this post to clarify that we are concerned about the sharing of content posted within a private or secret group with group non-members.

                      Ben

                      • Re: Control Sharing of content within Private or Secret Groups with Group non-Members?
                        tmaurer

                        I can understand why you might want an option to disable the ability to share. but I personally feel that the messaging that is in place and the manner in which it works are fine. You want to allow people to share one specific item within a group with someone who isn't privy to the entire contents of the group. And the person sharing is giving explicit notice that the person they are sharing with can't actually see the content. If the file was on a shared drive or being passed around via email, there would be no "locks" preventing it from being shared. And even if there were, the person can take screenshots and share. There are always ways around walls. The important thing is to share expectations and make sure people understand, especially in the case of a "top secret" group (which maybe shouldn't exist in jive if you are concerned about this kind of sharing - that is how our Internal Audit folks feel about it, anyway).

                          • Re: Control Sharing of content within Private or Secret Groups with Group non-Members?
                            ben.taub

                            Tracy,

                            For us this is more of a "posture thing" than a functionality thing.  Users could always share content within a private or secret group by downloading it and then emailing it to the person, and at that level there is really no lock that could be implemented to prevent it - but Jive did not help them do it.  The functionality within Jive 5.0 was that the Share would go out, but if someone who was not in the private or secret group clicked on the link in the share, they would be taken to a "You do not have access to this content page" - which is really what we want back in Jive 6.0.  That makes the whole thing internally consistent, if that makes any sense.

                             

                            Also, this change in functionality between 5 and 6 is not really well documented anywhere.

                             

                            I understand what you mean about the Internal Audit folks.  We discourage that kind of intensely private group, but we govern as if it is occurring to prevent auditors from freaking out.

                             

                            Ben

                              • Re: Control Sharing of content within Private or Secret Groups with Group non-Members?
                                it2000

                                'Jive did not help them' seems to be the key. We always want more user friendly applications, so usually Jive should help the user to get things done. But sometimes help like this must be disabled.

                                The share idea is good - The implementation to duplicate content and send it out of the plattform is very questionable. A temporary virtual sharing group may be much better.

                                • Re: Control Sharing of content within Private or Secret Groups with Group non-Members?
                                  tmaurer

                                  So my confusion with your statements is that I see it working this very save way in Jive 5 (which we are currently running on):

                                   

                                  The test user I sent it to (my gmail address) gets the PDF, plus a link to the group itself, which won't work (as you have described). As I said before, I don't understand why this is poor behavior on the part of Jive. And from a management/security standpoint, I think it means people are more likely to be conscious of what they are sharing and less likely to invite someone into a Private or Secret group just because they need/want them to have access to one single document that exists there.

                              • Re: Control Sharing of content within Private or Secret Groups with Group non-Members?
                                Jason.Hall

                                Hey not to kick this up again but for our instance of Jive we are more concerned with maintaining group privacy expectations over hampering a member's ability to share.  That said we see the value in keeping the Share feature while disabling the ability to send content to non-members.  So if you all ever make this an admin configuration (which would be awesome) it should merely prevent content being sent out to non-members, not a complete disabling of the share feature.

                                 

                                Since we had to tackle this before our 6.0 rollout, we have modified the behavior to still send a notification/email to non group members & non community members alike.  We've also modified the "Unauthorized Page" on Private groups to include the name of the group so the non-group member can request access.

                                 

                                Is this being tracked as an idea/issue?