ServiceDesk

Hello,

we have noticed a problem behaviour on several SD-installations and would like to know if any of you have seen this before and/or know what to do about it?

As a user without admin rights, I can still administrate other users if I go into Tickets (for example), open up the process view page of an incident and under All Contacts click on the name of the submitter. This way all the information about the user will be displayed and I will able to click on the "arrow" in order to edit the user. Here I can do all the editing of the user that an admin only normally should be able to do!

Many thanks for your feedback!

Julia

Hey Julia,

Check out the List Permission dialog under Admin\Users. There is one permission in particular that is called something like Manager.Users, which Support II group is in by default. Let me know if you can't find it and I'll get the details.

Cheers.

But if you do that, i believe that it prevents them from creating new contacts, in case they get a caller that doesn't already exist.

I got around ti somewhat by removing the menu entries in the portal, and then creating a Workflow on the advanced form to let them create new contacts, and instructed everyone not to edit any contacts, in case they found the 'backdoor way' in.

'AccountManagement.User.Modify' is the permission that allows you to edit a user's details.  If you aren't given this permission you can still access the account details as this is a different permission.

However... if you don't have the modify permission and you attempt to edit user details you will get the warning "User doesn't have one or all of these permissions ('AccountManagement.User.Modify')." at the top of the window but the problem is that it still saves the changes.

This is similar to the issue with a page with the 'allow user personalization' setting enabled e.g. add a web part etc.  If they view the properties of the page they are able to make changes e.g. to the tab name, whether or not it is enabled, the template etc.  If they click save a similar message to the one above is displayed but the changes are still saved!

I had the situation where users were changing the name of my tabs to some rather rude (but also humourous) titles.  The only solution was to take away their abilitly to do user personalization.

I don't know if this is plugged in 7.1 but it isn't in the release notes.

Edit: I reported both of these to Symantec via my partner some time ago.

Ryan

Do you know if there is a bug id or something similar for this? I have also reported it to Symantec.

I haven't seen a reference but I can try to get hold of it.  I reported it through my partner who in turn would've passed it on to Symantec but I wouldn't have seen the details.  At the time I recall also speaking to the then EMEA Product Manager (who has since moved on) and he was going to take it forward.  Chances are it will have gone into the pot of things to be fixed but because it is related to product security it is unlikely to be announced or documented publically

I have received feedback from Symantec that they have been able to reproduce this issue and that it has been escalated to their backline team. I'll let you know if we get a resolution provided :)