A significant security issue exists which exposes otherwise secured Cases, Leads and Opportunities to other Business Units when the Account/Contact assigned is owned by that Business Unit.
If your organisation uses security roles to restrict access to entities by Business Unit, then you may be in for a surprise.
Scenario
- Consider two Business Units where BU A is the parent and BU B is the child.
- Security roles for the Case, Lead and Opportunity entities are all set to Parent/Child.
- All Accounts and Contacts are owned by BU B in order to make them available to everyone.
- BU A (parent) has the need to create these records in a secure manner that doesn't expose them to the rest of the organization.
- A user from BU A creates a Case and assigns a Contact to the Customer field.
- The Case can now be viewed and edited by anyone in BU B.
This occurs due to a flawed association and is in no way expected.
What's even more bizarre is that when the ownership of the Contact is changed to BU A and then back to BU B, the Case is no longer viewable by BU B - which is expected!
The same behaviour also affects the Account field for Leads and Opportunities.
Comments
Could a forum admin please change the category for this idea to Security? There doesn't seem to be an edit option after posting. :( Thanks in advance.
Category: Unified Experience: Search, navigation and performance
ContactFirstName7 ContactLastName7 (administrator)
Thank you for your feedback. We are declining/closing this idea as it has been open for more than 2 years and has not received sufficient numbers of votes. If the idea is still valid, request you to re-submit the idea.