|
Hi Dave,
?
If the desired resolution is to have Groups.IO?users manage their own accounts which apply globally across all groups remove moderator access to modify their account.?
?
For example in MS Teams a moderator of one team can¡¯t globally change user account settings (their login credential) of a user across all teams, only the user or an AD admin of the domain the user is a member can do so.
?
If an admin changes the user ?account information that change is neither broadcast nor is the originating admin name & user account info sent to other MS Teams owners in other organizations.
?
An easy way to fix the issue if Groups.IO continues to allow moderators to change user account settings is to notify no one other than the user the change has been made to their account and the group from which the change has originated as an additional validation step (AKA ¡°user, your account has been changed, did you ask for that change to be made¡±).?
?
If it¡¯s required by Groups.IO to notify all groups that user is a member of that their email address has been changed by a moderator is to notify everyone that it¡¯s been changed suppressing the source admin name and username.?
?
It¡¯s not clear to me what the justification or need is to notify other moderators of a non-user generated account change in the first place but sending out admin (moderator) account info into the ether to a number of unknown persons isn¡¯t a sound security practice, regardless of the composition of the moderators email address.
?
I¡¯m my case my information was used by other admins to contact me directly to ask how I changed a user in their group. They were worried about a hack/security exploit. I didn¡¯t provide this information to them, Groups.IO did without my knowledge, and the admins that did contact me had no idea that their changing a user account would notify other group admins forwarding their name and email address in the process.
?
As this wasn¡¯t documented but I was contacted I know no better, will refrain from making changes to user accounts. If the people we add - many of whom never log into groups.IO, a primary reason we use it - can¡¯t manage their own accounts we¡¯ll help them, teach them how or allow them to drop out of the system.
?
Have a great weekend.
?
[Ad removed by moderator]From: [email protected] <[email protected]> on behalf of dave w <groupsmaster@...>
Sent: Saturday, May 6, 2023 5:59:59 PM To: [email protected] <[email protected]> Subject: Re: [GMF] Member email address change on our group changed it on & notified another group ?
Gentlepersons involved, It is sad that an event created by a person (a moderator or owner), using an unusual and unintended way, modifying with authorisation or not (the account email) of a 'member' has created their own issue with which they disagree vehemently. I see no reason for BUA using these groups to be 'manage their account for them' as that is in itself a form of privacy breach [ie you don't own the people/ members, not their personal information] - yet have total control over that entity. Exceptional circumstances, yes a backdoor required, but not otherwise. Creating a solution may be easy- however creating the problem was even easier- an unintended use of private accounts. Should the feature be anonymised as requested/ demanded, then other problems will likely occur. It is perfectly appropriate for 'traceable' assets to be shown when such changes are made. Would you accept this as 'the norm' for any society, business or other venture, beyond 'admins' with license to modify? Respectfully, davew |
