I have installed the universal request and universal request integration for incident management plugins on my PDI to mess around with but I'm not fully understanding how the restrict functionality works.

What I'm getting from the documentation is that to be able to view or edit a restricted incident/UR, you must have the sensitiveinfo_agent role and be part of the current assignment group, or be the primary ticket agent.

In my PDI, I have a test incident and I am impersonating a user who does not have the sensitiveinfo_agent role, is not part of the current assignment group for the incident and is not the primary ticket agent. The incident and UR have been restricted but I can still see and edit the short description, description etc.

What am I missing?

Thanks