Experimental Feature: Setting Up Custom Fields

(Rory O'donnell) #21

Hey this is great, but similar to merged results, if you have multiple users in that group that shouldn’t know about each other then it’s a security vulnerability b/c now they know about people in groups that don’t overlap.

For example if I have 3 different user groups that I want to bucket people in and I have a ‘experimental feature’ group that I need to bucket people into to use the new feature. I now am exposing users in these three groups to each other if they’re all part of the experimental feature. That kind of sucks. Is there a way to prevent this? Pretty sure @dgroman1988 brought up the same issue on another post I found.

(Dan Groman) #22

Yeah we experienced this and escalated to @gretchen.reyes, @Trevor_Heath and @sharon. I believe this is an item that the product team is looking into.

Can anyone confirm that?

(Izzy Miller) #23

Hey @Rory_O_Donnell and @dgroman1988,

We’ve heard this feedback and are looking into different ways to allow access to these experimental features-- We want to make sure we’re not accidentally exposing people to experimental functionality without being absolutely sure they want to opt-in, but I hear your difficulties with getting this to mesh with a closed system.

So we can have the most context, would you rather have this be a feature that an Admin can turn on and then it’s just on for everyone, or rather have some kind of actual permission like see_custom_fields and create_custom_fields? Or, any other ideas!


(Dan Groman) #24

For context, your guys’ group implementation can accidentally expose users to groups of users who shouldn’t know about them. Beta groups shouldn’t allow other users to discover who else is on the platform.

(maanul) #25

Hi @dgroman1988, Thank you for brining this to our attention. Can you please email security@looker.com with the steps to reproduce this issue?