roadmap icon indicating copy to clipboard operation
roadmap copied to clipboard
verified publisher icon DMPRoadmap

unwanted behaviour at account creation

Open Danny-dK opened this issue 6 months ago • 6 comments

During account creation in DMPRoadmap, one can use any email address and choose to which organization one belongs. Afterwards, that person can view the DMPs that were only shared within the organization. That means that any random person that actually is not associated with the organization has access to DMPs meant to only be viewed within an organization and can view possibly sensitive information (email addresses, type of research being performed, who is associated to what research). For many institution there is research performed that are sensitive subjects for the public and researchers can be targeted when it is known that they are involved in such research. Having a platform in which anyone from the public can create an account and freely choose which organization they would like to belong to without any validation, seems very much unwanted behaviour and a security / privacy breach. The current workaround is to make every DMP private, but that defeats the purpose of sharing within an organization.

Danny-dK avatar Jun 19 '25 05:06 Danny-dK

On some installations of DMProadmap there are already restrictions preventing users from manually changing their organisation to enhance security.

Additionally, here we are working to integrate the Research Organization Registry (RoR). (see Orion). This integration, expected to be completed by the end of July, will improve validation and ensure that an email address is associated only with the organisation it belongs to.

andreadavanzo avatar Jun 30 '25 10:06 andreadavanzo

On some installations of DMProadmap there are already restrictions preventing users from manually changing their organisation to enhance security.

Shouldn't that be available on all installations?

are working to integrate the Research Organization Registry (RoR).

Will that then be available to everyone using DMPRoadmap? And what happens to everyone allready signed in and associated with an organization? How does this work in conjunction with 'sign in with institutional credentials'? Currently a new user first has to create a DMP account (any email address used) and afterwards can link the DMP account with the 'institutional sign in option'. Does this mean that anyone that used a general email address (outlook, gmail) and linked that account to institutional sign in, be removed from the organization?

Danny-dK avatar Jun 30 '25 12:06 Danny-dK

Created branch to work jointly on this with @andreadavanzo

johnpinto1 avatar Jun 30 '25 13:06 johnpinto1

@andreadavanzo I understood from above and our meeting that these features and the one from https://github.com/DMPRoadmap/roadmap/issues/3533 would be available end of July. Do you have a more specific time-frame when the updates will be present?

Danny-dK avatar Jul 23 '25 12:07 Danny-dK

@Danny-dK some parts have been already deployed and other will be released this week

andreadavanzo avatar Jul 28 '25 08:07 andreadavanzo

Closing this issue as implementations have been made.

Danny-dK avatar Aug 11 '25 12:08 Danny-dK