Solved

Is there a way to make portals private to users only?

  • 2 March 2023
  • 6 replies
  • 36 views
mwinters
Badge

We would like to roll out a Portal to our customers. However, for various reasons, we are concerned about the possibility of a customer sharing the link to our Portal with one of our competitors. We would like to prevent this from happening.

We know that there is a way to integrate the Portal into our product using single sign on. But from our research it seems like this integration would simply send us additional details about who accessed the Portal? It would not actually prevent a non-user from accessing the Portal.

I’d like to confirm that this is the case. If so, I think that this would be a very useful feature to add! I understand that private URL’s decrease the risk that the link will be found, but it does not actually protect our roadmap from someone actively trying to share it with people who should not have access.

icon

Best answer by Kami 2 March 2023, 11:09

View original

6 replies

Kami
Rank
Userlevel 3
Badge

Hi @mwinters, you are correct, Portals with private link will be accessible to anyone so it can be shared outside of your intended audience. Another functionality you could consider is password protected public roadmap which is more restrictive but focuses more on sharing the roadmap as opposed to collection feedback and validating ideas. 

I’ll log your feedback now so that we may consider it in the future. 

mwinters
Badge

Thank you Kami! I appreciate your response.

Yes, unfortunately the current functionality doesn’t quite cover our use case, as someone could easily share the password as well as the link.

scott.baldwin
Rank
Userlevel 7
Badge +13

@mwinters curious how you might see this working overall if this did exist. Could you share more specifics about your requirements and needs here? For example, some customers embed the portal in their website while making that part of their website only accessible to those with the credentials to access the portal. It can solve for some of this, but like with any embed is not bulletproof.

Head of Community & Product Evangelism
mwinters
Badge

Hi @scott.baldwin , yes what you describe is what we plan to do. However, as you say, embedding is not bulletproof. A reasonably determined person with basic technical skills could probably figure out how to get the link to the actual Portal, and then share with other folks. 

This will work for now, but just wanted to call this out as a request for the future. The more secure this link is, the happier we’ll be!

scott.baldwin
Rank
Userlevel 7
Badge +13

Thanks. I would still like to get more specifics about your requirements and needs here so I can share with our team. 

Head of Community & Product Evangelism
david.morgan
Rank
Userlevel 6
Badge +13

In the past, when I tried to get a portal going for customers, a fair number of the stakeholders were concerned about accessibility to non-customers. So just to give some ideas around what I was working with when speaking with leadership and the owner/board of directors: 

  1. SSO (OAuth 2.0/OpenID): The use-case around this was the idea that we could just pass on the same authentication from our product to access the portal. This would help with metrics (identifying accounts, persona/type of user [Admin/Manager/User/etc], and more) so that we had a better understanding of engagement + the user would not require another authentication. 
  2. Whitelisting IP Ranges: Due to the industry I’m in it is fairly common that employees are forced to work from the office or via VPN. We’ve offered a whitelisting service for users (removing 2FA) when logging in and we’ve extended this to our support domain to avoid having to require logins to begin with. Not perfect, not ideal, and a bit of a pain. 
  3. Embed-Only Portals w/ Obfuscation around Links: This was something I worked on with our IT for a little while. Not an ideal situation whatsoever, but we were grasping at straws by the time this came up as a discussion. 

Not sure about @mwinters’ use-cases, but figured I’d drop some since the same thought came up internally when I was poised to create a customer-accessible portal. 

Reply


Community Code of ConductCookie settings