>

Unauthorized Users Receiving Incident Links via Email Notifications

Comments

4 comments

Date Votes
  • Megan Fontenot

    Hayley Burkhardt for reference or additional context if needed. 

  • Vernica Lodha

    Hi both. Just a clarification - how did Megan receive the email with this information about an incident? Need more info of what you mean by - “Trigger or receive an incident-related email notification tied to restricted content.”

  • Vernica Lodha

    You clicking on the link and not being able to see the content means there is no potential security breach because you cant access the incident in question. The messaging could definitely be better but i would not treat that as priority. Hence the need to find out how you even receive this email unless someone explicitly shared it with you?

  • Hayley Burkhardt

    Vernica Lodha — Megan’s role was updated so she can only see items she owns. For this test, I added her User Group onto the incident. That User Group assignment is what triggered the email, even though she still can’t view the incident itself since she isn’t an owner.

    I agree this isn’t a security breach, but it is a notification/communication issue. If User Groups don’t grant visibility like Departments or Owners, then they shouldn’t trigger incident emails for users who ultimately can’t open the record. Otherwise users receive links they can’t act on, which is confusing and feels inconsistent. 

Please sign in to leave a comment.