The longer I use the product the more concerns I have.
1) My portal configuration is set up so that users can't register for access from the portal. However, that doesn't matter if the user sends in an email because the user is registered as an activated contact when the email comes in. This allows the user in question to use the recover password function on the portal to effectively create a login on the portal. This bypasses the activation email and the security setting on the portal.
2) If a contact changes roles at a company and is no longer authorized access to the portal, the only recourse is to delete the contact. There is no disable access capability on a per contact basis.
3) Emails to the support@yourcompany.com email address from new contacts by default send out an activation email to the customer. Admins must disable that email notification. Even then that doesn't stop a user from access the portal though. The user in question can do a password recovery and get access to the portal.
What I would like to see is better control over who has access to the portal. Just because someone sends in an email does not make them an authorized user for the portal. There needs to be a configurable option for portal access. A way of doing this is with a checkbox in the contact details that says "Allow Access to Portal" and a slider in the portal settings, "Allow all contacts access to the portal" that acts as a global setting. If the slider in the portal settings is set to yes then the checkbox is grayed out as an option in the contact details. It's a relatively straightforward solution but not the only one.
I'd really like this addressed before my next annual renewal. If not I'll have to start looking for a different solution provider that does give me the level of security and control I need.