SECURITY BUG?: Members Can Not Be Removed From Teams. Adding Team Member Grants Non-Removeable Access!

GreenFlux
Participant V

Does anyone know how to remove a member from your Team?

You can invite someone to join, but I can’t find the option to remove their access!

This seems like a major security issue.


The Team Member has admin access TO ALL APPS in my account.

Fortunately, I am the owner of this other account and only added it for testing. But what if you wanted to remove a former/disgruntled employee? This could be a nightmare.

Also, the ‘Download Membership Data’ button downloads an empty file. And the User Names are blurred in browser (I did not add the blur).


I contacted support, but the only reply I got was regarding the User-List for individual apps, which is unrelated.

This setting granted access to all apps at once, and that is what I am trying to remove. The team member is not listed in the individual app-users and so they could not be removed from that list.

0 13 515
13 REPLIES 13

Hi, unfortunately you can’t remove users
from My Teams at this moment. Though we would like to understand what’s the reason for this. Let me find the ticket and let’s discuss more about the possible reasons for this request.

Thanks, Aleksi

What if I had added the wrong user?

This feature grants FULL ADMIN ACCESS TO ALL APPS! How can there be no way to undo this?!

I’m really glad I only added another one of my own emails and not a client or app-user. I was hoping I had just overlooked the ‘Remove’ option.

This could take down an entire business if an employee is terminated and can’t be removed as an admin.

And, I just realized this also grants admin access to Co-Authored apps!

So the team member I want to remove not only has full control over my apps, but also all of those shared to me as a co-author.


There should be a giant warning on the “Invite” button until a method of removing Team Members has been deployed.

@praveen, apologies for publicly disclosing this vulnerability. I thought I just overlooked the ‘Remove’ option.

Same here.

@GreenFlux there may be a misunderstanding.

The general idea with “Teams” is that people with the same corporate domain (in your case, @greenflux.us for example) are logically and automatically part of the same team.

Team membership has nothing to do with co-authoring apps. There is some element of app sharing you can do with others in your team (i.e. Appsheet users in your domain). That’s why there isn’t an add and delete option — it isn’t manually controlled membership.

Mostly, the MyTeams option is valuable for those who purchase a corporate plan. For a corporate plan, there is a team root admin, additional admins who can monitor apps/usage, and richer capabilities to download membership, usage stats, centralized billing, etc.

So to hopefully address your alarm, team membership does not grant full admin access to all apps. You cannot add users outside your domain. I’m guessing the second account you added was also from your same corporate domain.

NO. And I do not own/manage the domain for this other account. That is the most concerning part.

I am assigned ownership of a single account on another domain-- not @greenflux.us, but me@someotherdomain.com. And I can not remove this user’s access to my main account- support@greenflux.us.


I can currently log into appsheet.com as me@someotherdomain.com and edit apps owned by support@greenflux.us, as well as apps I do not own, but ones that are shared to support@greenflux.us.

I still have control of this other account, but it is not my domain. And I can not figure out how to disconnect the admin access me@someotherdomain.com has for support@greenflux.us’s AppSheet apps.


I just re-confirmed this by logging into appsheet.com in a private tab as me@someotherdomain.com, and added a table to an app owned by support@greenflux.us. I saved and verified the change from my support@greenflux.us account.

me@someotherdomain.com is NOT in the list of app users for this app, never has been, and it’s not even my app. I tested this on one of the apps that’s shared to me.

I’m a ‘hidden’ admin of all apps and my access can not be revoked. I’ve tried clearing my cache/browser history. MacOS 10.15.6 /Chrome.

UPDATE: This ONLY affects apps Shared to my account, support@greenflux.us.

I have a lot of similarly named/icon’ed apps in my account and the client’s account, so I thought it was both at first.

So the apps in my account are ok, but, apps shared to me have admin access from this other account that I can’t remove.

It seems like there’s a second-degree Team linking going on. If I add a member to my team, they have access to apps I do not own, but are shared to me, and I can not remove that access because there’s no option to remove team members.


Is this not a bug? How many Team-Member links away will this behavior propagate? Does Kevin Bacon have access to my account!?

What would happen if someone at AppSheet accidently added badguy@someotherdomain.com to their team and could not remove them?

I don’t think this feature is behaving the way you expect it to-- at least not for me.

And why are the names of my own team members blurred? I just don’t understand the Teams feature at all. Sorry if I’m misinterpreting its intended usage but I seem to have used it in the wrong way and can not correct it.

I like the 6 degrees of Kevin Bacon analogy, but nothing like that is supposed to be going on. Let’s take a look at the specifics of your situation and see what’s going on.

I’ll need a support ticket with the info about the two accounts and maybe the name of one of the apps where you think something wierd is going on. Could you do that for me please, and also indicate that we’ve been talking via this thread, so please request it be routed to me (that way, our frontline support folks will shortcircuit their usual process and I’ll get to look at it). Clearly there is something going on.

Access control to an app is pretty straightforward. Only the app owner can edit the app. Unless you explicitly add a co-author. Team membership doesn’t come into the picture. There is something else at play here.

I just replied on the original ticket and added a bunch of details and account numbers for troubleshooting.

Please let me know if you need any other info, and thank you for looking into it!

Would appreciate a summary of the resolution once everything’s settled. I’m really curious!

Josephine
Participant III

I’d also be interested in the outcome; I had a similar question and spent some time with support, but didn’t get any clarity on how teams work, why they are greyed out etc.
I also wanted to know whether we could set certain users (in the domain) as app creators and others just as users, but that doesn’t seem possible - it’s an all or nothing approach.

I tried support as well. I did get a few responses, but was never able to get an answer on the Team Members being greyed out, or how to identify/remove them.


I did find out that the Shared Drives feature is what was granting full access to all my apps to another account, and was able to remove the access by removing the Shared Drive. This also removed the member from the list of Team Members. I had added the Shared Drive a while ago, thinking it only shared the data source, and not admin editor access to all apps.

So although there is no direct button to remove Team Members, they can be removed by unsharing the Shared Drive that gave them access.

I was not able to find a way to ‘revoke’ this access from my main account, though. I had to login as the other team member and remove the Shared Drive from that account. So I guess if you can’t login as the other Team Member then you would have to change your password to prevent further access by that Team Member.

Guillermo
Participant V

I totally agree with you @GreenFlux This is still working like this? I was thinking to create a membership on my web and grant access only to the members to the definition of some complex apps. But reading this I think I’m not going to give a try for the moment. Could be very dangerous to do something irreversible.

Top Labels in this Space