User able to view an incident without having required access

SubramaniP · 3 weeks ago

Hi SN Developers,

I noticed a scenario where a user was able to view an incident that is associated with a different company, even though the user is not part of the incident (not the caller, requester, or listed on the record).

I impersonated the customer user and confirmed that the user has access only to the CSM Portal and is restricted to viewing related cases only.

At a later point, the user was no longer able to access the incident; however, the initial visibility raises a concern around unintended cross-company access.

Could you please advise:

Is this a bug, or is this expected behavior?
And whether any ACLs, user criteria, or sharing rules could allow this access.

Please advise. Thanks.

Deepak Shaerma · 3 weeks ago

Hi @SubramaniP

Just open that incident form and right click on header and go for the analyze access ,
analyze by - user and provide the user who can able to access the incident, select table and click on evaluate access.. you will get the info why he was able to access that.

Happy to help! ‌‌
To help others in the community find this solution, kindly mark this response as the Correct Answer ‌‌ and Helpful‌‌.
Warm Regards,
Deepak Sharma
Community Rising Star 2025