Business stakeholder role allows user to modify incident values

Ty Steels · ‎12-09-2022

We notice that users with just the Business Stakeholder role can modify the values for incident fields like Category/Subcategory, Assignment Group, States, and more if they are the "Caller" (listed in that field). If they aren't the Caller, the entire incident ticket is read only, which is expected behavior. Has anyone else seen this occur and what actions did you take?

RaghavSh · ‎12-09-2022

@Ty Steels this is because of write ACLs on incident table which allow the caller to edit incident fields. The callers are usually end users so the acls are independent of roles.

No actions needs to be taken on this unless your org has some special requirements as callers should have write access to certain fields irrespective of roles. Callers even have access to resolved incident (state field) usually so that they can reopen the incident if not satisfied with the solution.

Raghav
MVP 2023

View solution in original post

RaghavSh · ‎12-09-2022

@Ty Steels this is because of write ACLs on incident table which allow the caller to edit incident fields. The callers are usually end users so the acls are independent of roles.

No actions needs to be taken on this unless your org has some special requirements as callers should have write access to certain fields irrespective of roles. Callers even have access to resolved incident (state field) usually so that they can reopen the incident if not satisfied with the solution.

Raghav
MVP 2023

Ty Steels · ‎12-10-2022

Makes sense. Our organization isn't large enough to warrant modifying ACLs to stop users with business_stakeholder role from modifying their own incident ticket. We will address this with training.

Thank you very much for the information!