Hi all, my team is having some confusion about view-ability of reports. When I set a report to private, others can still see it, however I think some other users’ private reports are actually private. Are there some details about how to make reports private that we’re missing? cc @ambitious-apartment-58735 @orange-magician-36994

@happy-autumn-40938 can you help?

It’s actually also possible that no users’ reports are hidden from others and instead somehow reports were deleted when we upgraded to 3.5 - is that something you’ve seen before?

no, we've not seen that

How it currently works is if view access is set to "only me", then the report is unlisted and undiscoverable. Anybody who has the link for whatever reason can still view the report. I can see how this might be unexpected; we're open to changing the behavior to fully block access for non-owners.

Ok thanks. We’ve had some instances where reports are set to “only me” but they still appear in the Custom Reports list to all users. I’ll try to recreate it and send screenshots if I’m able

I suppose the caveat here is that admin users have full access to discover unlisted reports. Perhaps something like that happened?

Oh so admin users should still see reports set to “private” under the “Custom Reports” list of an experiment?

that's correct

Hmm that’s also not always the behavior we’ve seen. I (an admin) created a report and set it to private and another admin could not see it

odd. I can have a closer look and see if something is broken

Ok thanks. If that is indeed the way it works though, it would be good to add to the documentation I think. Right now it says if you set a report to private only you can see it

agreed. By chance do you have custom roles / permissions? I see that report viewability for non-owners is actually determined by whether the user has "superDeleteReport" permissions, which is typically only for admins.

no, we have no custom roles set up

Hi, had a chance to look a bit more at this. It looks like admins are not able to discover unpublished reports, yet can still access and modify them if they have the link. Some of these behaviors may not work as expected for older reports (originally created 4+ months ago). We introduced the reports permissions model around that time and it is not applied retroactively.

Hi @happy-autumn-40938 thanks for the follow up. I believe that is now the behavior we see post upgrade to 3.5 last week, but prior to upgrading to 3.5, many users (i’m not sure if they were all admins or not), were able to discover unpublished reports

that is correct. The old reports don't cleanly update to the new format, so we're stuck with less-than-ideal backwards compatible rendering, unfortunately

Gotcha, thanks for confirming

@happy-autumn-40938 it would be preferable for us if private reports still appeared in the list of "Custom Reports" for an experiment, but just couldn't be opened by certain users. The way things are set up now the old, private reports (that we didn't intend to restrict) disappear for anyone but the owner, so folks might think they have to create that report (actually a duplicate) when they could just ask for a permission change. Is that a possible change? Or is there another (better?) way to get at the same goal?