Question

Can I have customer-facing teams and internal teams with potentially sensitive tickets, such as Human Resources (HR) or Legal, work within the same Zendesk account?

Answer

Zendesk allows all agents to view all tickets unless you specify otherwise. Therefore, it's possible to use the same Support account for both customer-facing agents and internal agents. There are several privacy risks that you should consider, especially if the customer-facing agents will submit tickets to the internal team's agents as requesters. To prevent agents from accessing tickets assigned to certain groups, modify their role permissions.

  • Restrict agents to groups
  • Pros and cons of using a single Support account
  • Pros and cons of using separate Support accounts

Restrict agents to groups

On the Enterprise plans, designate a group as private to ensure that agents outside of the group can't access tickets assigned to it.

Private ticket group.png

Agents who don't have access to a ticket in a private group can't view it or search for it. Moreover, you can restrict the access of the agent requester, as an end user, to private comments or agent-only fields in the ticket.

If your account plan doesn't offer private groups, add agents to groups and restrict agents to only view tickets within their groups.

Ticket access permissions within agent's groups.png

For more information on restricting agents' ticket access to groups, see the article: Creating private ticket groups and granting agents access.

Using the agent's role and group access to restrict their ticket access to tickets within their groups has the following limitations:

  • If an agent needs to access tickets across multiple groups, they must be a member of all the necessary groups. When agents reassign a ticket outside of their groups, they can no longer access the ticket.
  • Adding an agent as a CC on a ticket will grant them access to the ticket within the Support interface. This is expected behavior even if the CC’d agent does not belong to the ticket group.
  • If an agent submits a ticket to an HR group as the requester, the agent is able to see all ticket fields and internal comments. This may be problematic if the assigned HR agent needs to add sensitive information about the requester.

Pros and cons of using a single Support account

Pros Cons
  • One interface to manage all groups and departments.
  • Easier SSO configuration.
  • Some existing business rules, apps, and administrative settings can be reused.
  • Centralized reporting for all ticket activity.
  • Consolidate internal knowledge within one help center.
  • You can enable agents to manage and submit requests from the help center, simulating certain parts of the end user experience.
  • If you are on the Professional, Growth, or Team plan, all agents have access to internal comments and agent-only ticket fields. If an agent submits a ticket to HR they will be able to see all ticket fields and internal comments on their own ticket.
  • If a restricted agent is added a CC or follower to a ticket, the agent will gain access to that ticket regardless of their group.
  • All admins have access to all data within the HR account.
  • Maintenance of groups and custom role restrictions can become unwieldy.
  • Zendesk cannot “nest” custom roles.
  • To enable non-HR agents to see all tickets except HR tickets, they may need multiple groups.
  • SLA for the first reply time doesn't apply to tickets created by non-HR agents.

Pros and cons of using separate Support accounts

Pros Cons
  • Non-HR agents don't have access to agent-only ticket fields and internal comments in the HR account.
  • Sensitive data remains private when the HR agent uses an internal note.
  • HR and non-HR workflows remain completely separate.
  • More flexibility for custom role permissions in both accounts, rather than requiring the “All within their groups” ticket access permission.
  • This option requires two Zendesk accounts.
  • SSO (Single Sign-On) maintenance may be more complex because your SSO platform would need to be connected to multiple instances.
    • For example, in account A your user might be an agent, but in account B the same user might be an end user.
  • Some integrations may not function in multiple accounts.
    • For example, a JIRA integration cannot integrate with two separate Zendesk accounts.
  • End users must use separate help centers to manage their requests and view content. Some training may be required to help users differentiate between the two help centers if they use both accounts.
Powered by Zendesk