Locking Analytics Account

  • Resolved smhcis

    (@smhcis)


    4 years, 9 months ago

    @lauragoogleanalytics, we had previously begun discussing the possibility of locking the analytics account that could be used with the plugin, as agencies may have many accounts they are using in Google Analytics, but only want to give access to a client via the plugin to one.

    Here’s what you had suggested:

    Hello @smhcis,

    When an app is authorized, it receives an access_token, which acts like a key to the entire account, including all profiles.

    That access_token is then saved in the database, and used to communicate with Google’s API, to list the profiles or get their data (sessions, pages, etc.).

    So, a WordPress user with administration privileges, will be able to read that key, and can use it to get the list of profiles and their data.

    With that said, it makes no sense to ask the user to re-authorize, as the access_token they already have in the database, can access all data, so it’s just a false sense of security.

    IMHO, if you are required to give the user administration privileges, then the best way to do it is the following ( I didn’t try it, but it should work ):

    1 – From your Google analytics account, add the user to only a ‘view’ and restrict their access, as discussed here.

    2 – After that, let the user authorize the app with their own email address, and not yours.

    This way, the generated “access_token” will only have access to the restricted view, and nothing else.

    Please feel free to correct me if I missed something.

    Thanks,
    Lara Support Team.

    The problem with that is that not all of my clients have a Google account nor do they WANT one. Most of my clients have no interest in messing with the settings of their website and wouldn’t even know they could change the plugin to show a different client’s information. However, that doesn’t make it a good practice.

    I like the easy access this gives to analytic information and the fact that it requests so little in the way of permissions from my GA account, but I can’t in good consonance put this on a client site and leave all my other client information so unprotected.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Contributor Lara Google Analytics – Support

    (@laragoogleanalytics)

    Hello @smhcis,

    The moment you authorize any app to connect to your GA account, and the “access_token” is saved in your client’s WordPress database, you are essentially giving him/her access to “read” the entire account’s data.

    The way the other plugins are forcing you to re-authorize doesn’t change this fact.

    Before the re-authorization, the access_token was in the database, and after the re-authorization, the new access_token will be also saved in the database.

    So, to keep things really secure :

    1 – If you are hosting your clients websites, then you can give them a role other than administrator, and restrict their access to prevent them from installing plugins or accessing the database (then you can use our plugin’s permission tab, to restrict their access to the plugin’s settings).

    2 – If you are not hosting their websites, then, give them restricted access to your GA views, as discussed before, which will require them to have a google account (btw, they can create a google account using their own, non-gmail email address).

    I hope it is clear now.

    Plugin Contributor Lara Google Analytics – Support

    (@laragoogleanalytics)

    Just a quick thought, if we added an option to lock the account/view, with a notice explaining that, if the user has access to the database or files, and some technical knowledge, he/she will be able to overcome the restriction, will that be sufficient ?

    Thread Starter smhcis

    (@smhcis)

    That would be sufficient for my needs. My clients don’t have access to the database or files and most have limited knowledge of WordPress. It’s more to keep them from clicking around and accidentally getting into things they aren’t supposed to.

    Plugin Contributor Lara Google Analytics – Support

    (@laragoogleanalytics)

    Great, expect this to be included in the next update, which should be released within the next few days.

    Stay tuned, as it will also include some awesome features.

    Thread Starter smhcis

    (@smhcis)

    Thank you for listening to my feedback!

    Plugin Contributor Lara Google Analytics – Support

    (@laragoogleanalytics)

    @smhcis,

    We have just released v3.2.0, which adds the ability to lock the settings, along with some other cool features, like WooCommerce earnings graph.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Locking Analytics Account’ is closed to new replies.