Title: What does the "Access Address Book" permission cover?
This note describes exactly what is covered by the ' Access Address Book' TeamPage server permission, as well as what other settings are available to control access to potentially sensitive TeamPage user profile information.
Users can search for other users by their TeamPage user name or display name. 'Access Address Book' permission allows a user to get user search matches based on email addresses, organization names or other profile details. Without this permission, users can only search by a person's display name or user account name, even when searching against sources that TeamPage may offer from connected external directory systems, such as Microsoft Active Directory servers.
(Note that available profile information depends upon what information the user may have manually provided, as well as on what information TeamPage is configured to gather from any external identity systems.)
This applies anywhere TeamPage offers user or email search. That includes:
the search box, which offers type-ahead completion suggestions for users;
the invitation form's recipient fields;
the email reply and email articles forms' recipient fields;
the task form's Assigned and Notify fields; and
suggestions for @ mentions when editing content.
User Profile Visibility
In general, Access Address Book permission also allows a user to view other users' profile details.
User Preferences for Controlling Profile Visibility
Users have two preferences that they can set to control who can see their profile details without having Access Address Book permission. These preferences are specified on each user's account settings > Personal Info > Profile Page.
Allow All Registered Users to See Your Profile Information
This preference allows a user to choose whether other registered users (those who have named TeamPage accounts) who do not have Access Address Book permission should still be allowed to see their profile details. The default value is "yes." Selecting "no" means that only users who have Access Address Book or Server Setup permission would have access to the user's profile details.
Allow Anonymous Visitors to See Your Profile Information
This preference allows the user to indicate whether visitors (those using the built-in Visitor account) should be allowed to see their profile details without having Access Address Book permission. The default value is 'no.' Selecting 'yes' will allow Visitor to have access to the user's profile details.
Server Settings for Controlling Profile Visibility
Limit Visitor Access to Named User Account Information
This setting provides a way to limit the access that the built-in Visitor account has to information about named user accounts as a server level policy. Choosing 'yes' will prevent Visitor from seeing profile details, and may cause certain profile information for named accounts to be omitted depending upon the context. It will also partially override the visibility that the Visitor account would otherwise have as a result of being granted 'Access Address Book' permission. This setting is specified on the server settings > General > Customizations,. Only server administrators (users who have 'Server Setup' permission) can modify it. This setting is set to 'no' by default.
Even if this setting is set to 'no,' Visitor's access to information about named user accounts will be somewhat limited if the Visitor account's effective permissions do not include 'Access Address Book'. Without 'Access Address Book' permission, users can still opt in to allowing Visitor to access their profile details (by choosing "yes" for the "Allow Anonymous Visitors to See Your Profile Information" preference). The Visitor account can also be disabled at both the license and user directory configuration level; and even if it is enabled, administrators have the choice of whether to grant Vistior "Login" permission, without which the Visitor account cannot be used interactively.
Other Features and Capabilities Governed by Access Address Book Permission
The 'Visibility' tool (available on the context menu) allows a user to see a list of the users that are allowed to read a particular entry. The Access Address Book permission is required to use it.
TeamPage's live activity feature displays information in forms about what related activities that other users are currently performing. For example, if you're editing an entry, the live activity display would show a list of other related operations currently underway, or which have been recently completed -- e.g., "John Doe is also editing Foo57." or "Jane Doe has just finished replying to Bar23." This feature is only visible to users who have Access Address Book permission.
Error Message Details for Denied Requests Involving New or Existing User Account Details
TeamPage will generate error messages if a user requests a resource that they're not allowed to see, or to perform an operation that they're not allowed to perform. In some cases, such requests may involve user accounts, in which case a user who does not have Access Address Book permission will generally see a generic message which does not necessarily confirm the existence of a user account. Users who do have Access Address Book permission may be privy to more specific error messages.