Hey n8n Community
I am setting up n8n 1.114.4, currently a self hosted deployment, which will hopefully scale to dozens of users on my org. We aim to create workflows that access Google Drive files, Gmail, Slack, DBs and other organizational apps. I am still learning it and appreciating your professional guidance regarding the following issue:
As i checked, and as the docs state, Owners and Admin users can see and edit all workflows, credentials, and projects. It seem ODD that when a member user create a credential, for example to his organizational Google Drive with read/write permissions, the n8n Owner(s) will be able to use those user credentials as well and thus get access to the user’s Google Drive. While this drive is ‘organizational’ and is used for some n8n workflows it wasn’t intended by the user to be accessible by someone else via n8n as it was done using an OAUTH authentication. Unlike when you simply keep credentials to an organizational DB where the owner might have access to anyway, he does not suppose to get access to your Google Drive or be able to send email on your behalf from Gmail simply because he’s the Owner of n8n and posses access to use these OAUTH credentials freely.
It seems that if a credential went through OAUTH authentication than it suppose to remain PERSONAL without the possibility to be used by anyone else without explicit sharing.
It is a security and trust breach which needs to be addressed.
Please enlighten me - Is there a best practice that i miss? is there a PRO/Enterprise feature that mitigate that?