Vendor permissions seem very unsafe

Hey all!
I am currently working on making our Shotgrid as safe as possible and I ran into some security problems.
As far as I can see, there is no way for me to restrict the vendor’s access to see other users and groups.
We have a lot of vendors and it is very important that every vendor-user can only see themself and the group they are assigned to.
I might be wrong but it feels like this should be the default for vendor permissions or am I missing something?


You should definitely turn of their ability to navigate.
We usually set up vendor homepages for clients and the permissions should be locked down as tight as possible.

if you make sure they cant see the nav bar and for example, can’t show hidden fields then you can customize the experience as much as possible.

You can also turn of access to various entities.

Hi Ricardo,
yeah, I am doing all of the above but Vendors could still “play” around with the urls and see all the user or group details.

Our Vendors have to use Shotgrid Desktop with custom tools so I tested what somebody with vendor permissions could find out while using the python api and getting all user and group infos was way too easy.
Unfortunately, hiding fields in the user and group entity is not an option, because this breaks SG and Sg Desktop.

Hey Tobi,

If you want to further lock things down you can ask Autodesk support to help you lock down the conditional permissions even more.

Have a look at the existing ones, maybe you can supply them some extra lockdown conditions.

1 Like

Yeah, that’s what I thought.
Was hoping to find a way to do it myself. I think, as an Admin, I really should be able to.
Let’s hope Autodesk is giving us a better way to edit conditional permissions in 2023 :slight_smile:

Best and thanks again,

1 Like