One of the long standing points of confusion surrounding granting admin access in Basecamp has been where to actually grant it. It was hidden behind the Settings tab on the Dashboard. Not exactly intuitive.

Tonight we pushed an update that moves admin access to the People tab. There’s now a checkbox labeled “Administrator” under the name of each person in the main company. Check the box and the person has admin access. Uncheck it and they don’t. Just like before, only admins will see this option or be able to change it.

We certainly hope this makes granting admin access simpler. Sorry for making it so confusing all these years ;)

Thank you.

Our pleasure. We know this was a confusing PITA.

Good change. thanks!

Thanks!

I have to express my concern with this new Basecamp feature.

With the new way to assign admins, all it takes is an errant click of the mouse by an unsuspecting admin to reveal what could be sensitive company information. Me and the other admins in my company feel that the ability to grant admin access should be more restrictive. Not only did we like it when it was ‘hidden behind the Settings tab on the Dashboard’, we would go one step farther and say that the account owner should be the only person who can grant admin privileges to the account. Granting any admin the privilege to further assign admin rights does not represent good systems management by most definitions.

Please consider a more restrictive path to the matter of administrator privileges in Basecamp. The new way is a step backwards in our view.

I would agree with metjeff, the new admin feature is far to easy for someone to make a mistake.

I would at the very least like to see that only the Account Owner have the ability to see these checkboxes and make the change.

all it takes is an errant click of the mouse by an unsuspecting admin to reveal what could be sensitive company information.

Being an admin doesn’t reveal any sensitive company information. The account owner is the only person who can see billing information and invoices. Admins only have access to the projects they’re given access to see. The account owner is the only person with access to all projects. There is no sensitive company information revealed when someone becomes an admin.

There is one piece of sensitive information that is available to Administrators:

• User passwords

All the Administrator has to do is edit the selected user, and then view the source code.

This should be fixed ASAP – this is really not acceptable in my opinion, people assume their password is known only to them, whether it be Internet Banking or online forums – I know that should not be the case but every BaseCamp user isn’t technical savvy about these things.

Thx, Chancer

I agree, I’ve mentioned this security issue before as well. The password shouldn’t be available in the source.

We do plan on changing the way the password field words this year.

I’ve noticed that editing (and saving) a user now unchecks the admin check-box. Also, unchecking the “auto add this person to all future projects” gets automatically checked again so there’s no way to turn that off. (I’ll email this to support if it doesn’t get picked up here.)

I’ve noticed that editing (and saving) a user now unchecks the admin check-box. Also, unchecking the “auto add this person to all future projects” gets automatically checked again so there’s no way to turn that off. (I’ll email this to support if it doesn’t get picked up here.)

Oh, that’s not right. We’ll have a look at that. Thanks for letting us know.

OMG – I send an email to support , no more comments

Thanks Jason.

Sure thing. The programmer who put this together is out of town until Monday, but we’ll see if we can have someone else take a look.

We do plan on changing the way the password field words this year.

Great!

I’m surprised something like this hasn’t been flagged and fixed already.

I have to admit I’ve never come across a password field that gets returned by the server pre-filled with the actual password (viewable in source).

Glad to hear it’s on the way out.

Just a reminder that this security flaw is still open. Administrators can view user passwords which I really feel should not be possible.

This indicates passwords may be stored on basecamp servers as ‘plain text’ – which I feel is a dangerous thing to do.

I’m not sure that my earlier post was correctly understood.

As the account owner, I am able to assign admin privileges and have done so to two other individuals in my company. Those new admins now have the ability to assign additional admins. I don’t see how this can be considered a good thing.

My comment about sensitive information has nothing to do with billing. It has to do with project content. For example, we have a few projects that are for management eyes only (we discuss company finances, human resource matters, etc.). An ‘errant click of the mouse’, and by that I mean a true mistake, could expose that information to unintended individuals. Again, this is a clear risk (and one that I could easily see happen) that needs to be mitigated.

As mentioned by another poster, all of this could be fixed by having the account owner, and only the account owner, have the ability to grant admin access.

Nice update – it would be handy to click the labels for project permissions checkboxes. Basics people c’mon ;)

Thanks for a great app and service once again – kee