Hi SN Developers,
I noticed a scenario where a user was able to view an incident that is associated with a different company, even though the user is not part of the incident (not the caller, requester, or listed on the record).
I impersonated the customer user and confirmed that the user has access only to the CSM Portal and is restricted to viewing related cases only.
At a later point, the user was no longer able to access the incident; however, the initial visibility raises a concern around unintended cross-company access.
Could you please advise:
Is this a bug, or is this expected behavior?
And whether any ACLs, user criteria, or sharing rules could allow this access.
Please advise. Thanks.
