Disallow group admin from elevating group permission from admin console above their collaboration access
Currently if a group admin is individually invited to a folder as a viewer, the group admin can add the folder to a group as editors.
We have removed the ability for group admins to elevate access levels to folders. This has been shipped and is available in production.
Frederic Breard commented
We are facing the same problem at a major Box client (20K seats).
We are intensively using groups and group admins and this issue creates a huge security breach.
This should not be considered as a suggestion for a new feature but as a major security risk which request an urgent fix.
This is a major issue that impact directly the security of Box.
Koji Shiraishi commented
If the user account of Group Admin is invited as a Viewer (or whatever access level lower than Editor), she should not be able to change this.
However, Group Admin can edit this access level by going to group settings, and edit a shared folder of the group