Provide select host admins access to payee tax forms in the expense flow

[iamronen]

User story

I am fiscal host and I am been asked to audit a payee that has been paid an expense. I need to be able to review the payee tax-form in relation to an expense.

MVP

We can link Tax forms directly to a profile/expense based on the relevant fiscal year.

Because tax forms hold very sensitive information we will:

1. Limit access permission to only select admins (so that not all fiscal host admins have access to this).
2. Limit access by linking the request to paid expenses (we are not providing direct user based access to tax forms).
3. Force 2FA to download/view tax forms, then the risk factor is low.

Metrics

Our ability to respond to audit requests needs to be quick. Any delay in doing so can disrupt financial services (sending and/or receiving funds) a fiscal host. This solution will provide select fiscal host admins with rapid and independent access to tax forms that are related to their expenses only.

P2 low frequency, high impact

[Betree]

Limit access permission to only select admins (so that not all fiscal host admins have access to this).

How are we going to select which admins can see tax forms? Is it a setting in the interface?

[iamronen]

@Betree is this something we can figure out during the cycle or do you prefer it be addressed in advance?

Could it be addressed through our permission architecture?

[Betree]

@iamronen We can figure it out along the way; there's no concept of "privileged host admins" in the codebase at the moment, so we'd need to create that.

I have, however, doubts that I would like to clarify about the project itself: when I discussed this with @aminakazi last week, the only use case she shared with me was about this time when @BenJam needed to access some tax forms quickly and wasn't able to find them. To me, this event was an edge case that could have been addressed more easily with the right knowledge of how the system works. It was later escalated to the engineering team who took 5 minutes to resolve it.

Considering that:

• Tax forms are currently only enabled for internal fiscal hosts
• Internal fiscal host admins (should) have access to our Dropbox Forms account
• Dropbox Forms interface has everything we could hope for if exposing this in the frontend: search, view, actions (e.g. re-send form) - we're paying good money for that!

I feel like the implementation of a new feature like the one suggested here, which introduces complexity and new threat vectors in our model, isn't really justified.

I'd be happy to review my position if I'm missing important use cases.

[iamronen]

I defer this to @BenJam

[aminakazi]

Hey @Betree!
I spoke to the fiscal host admins and they mentioned that there would be additional benefits of being able to download the tax forms, especially from a point of fraud and making sure the payee details match etc.

That being said, I agree with the points you've laid out about using the Dropbox Forms. I don't have a strong opinion about either of the ways forward.

[Betree]

With #7216 coming to completion and #7346 being prioritized for implementation, we'll soon be ready to enable this feature for more fiscal hosts.

However, as mentioned by @aerugo and @znarf, there will be some restrictions on who can access them, given how sensitive this feature is:

• We need to have a relationship of trust with the fiscal host.
• The host must comply with security best practices, like enforcing 2FA for all admins.
• We may require them to sign a specific contract.