Insight permissions

Answered

6 Comments

  • Stephen Belleau

    Hi Yoram,

    My understanding is that as long as the agent's role permission for "What kind of tickets can this agent access?" is set to "All within this agent's group(s)", then even if they have access to insights (or even if they try to access data via the API!), they are still restricted by the role permission and can only see data for tickets in their groups. 

    Is that also what you have set for "What kind of tickets can this agent access?" Maybe I need to test this again, but I'm sure the role permission worked fine when we first set things up...

    0
  • Yoram Dagan

    Hi Stephen,

     

    I have the role set up that the agent cannot see anything outside of his group.

    As long as the agent's drill in doesn't lead the agent into Zendesk support interface he is able to see any insight and bypass the restrictions.

     

    This is validated with Zendesk. So in my case, the restricted agents can see for example any statistics about the tickets, classifications of issues, Organization issues (not comments)...

     

    This is a breach of security, I don't understand how was it allowed and how isn't it fixed.

     

    Thanks

    Yoram 

    0
  • Yoram Dagan

    BTW..

     

    This is the response I got from Zendesk via the chat:

     

    "I am afraid that once you allow access to agents, the can access all the reports....." 

    "I've been taking a look into your request and unfortunately the functionality you're looking for isn't possible with Zendesk products at this time"

     

    Got the following reference article from Zendesk

    https://support.zendesk.com/hc/en-us/articles/204116536-Understanding-and-restricting-user-permissions-in-Insights-Professional-and-Enterprise- "

    0
  • Stephen Belleau

    Interesting. That directly contradicts what I was told from Zendesk Support. They said everything in Insights revolves around the API, so if they can't access a ticket via API due to role permissions, they won't be able to view its data in Insights either.

    Hopefully we can get a product manager to chime in and clarify. This is definitely a huge security concern.

    0
  • Yoram Dagan

    Hi Stephen,

    So... the latest on this matter is that Zendesk does not support this level of security and they are not planning to change anything in the near future.

    "It was discussed internally and the functionality you are requesting is not planned to be  added in Insights"

    Any agent which is given an access to view "Insights" can view the entire reporting for all of the customers and groups.

    I am not sure that the GDPR regulations are kept and if you have European customers, you should consider checking this or think what information is populated in your custom fields which you report on.

    If you fill any personal information which should be accessed only by a specific group, then the GDPR regulation is not met (At least it is how I understand the regulation).

     

    Any case, very disappointing by Zendesk 

    Thanks

    Yoram 

    0
  • Amy Dee

    Hi Yoram! Hi Stephen! There are a lot of moving parts here. Hopefully I can help clear this up.

    The Insights data connector performs a series of incremental API calls as a system user with administrator credentials. It pulls recent data for each sync, then loads it into the data model. Insights uses that cached data to run reports. It does not call the API through individual agent permissions in real time.

    Insights is managed analytics project powered by GoodData. This means all Insights projects use the same data model template with the same template user permissions. There isn't a way to give individual users access to a restricted dataset to build reports. At this time, if an agent has permission to create reports, they can access all data in the model.

    If you'd like to give agents access to view reports with restricted permissions, it is possible on Enterprise accounts. You would need a custom agent role which includes "view only" access to reports. Agents with that role would be able to load Insights dashboards, but they would not be able to access individual reports or build their own content. From there, you could restrict dashboard permissions so the agents only see certain dashboards.

    You can also set up filtered variables with user-specific values. These variables dynamically filter reports based on who is viewing the report and what values are set in the variable. GoodData has more information, including a tutorial video, in their documentation: Define Filtered Variables. Variables are very hands-on and require some effort to set up and maintain, but they give you a lot of flexibility.

    Please note: variable filters only apply on reports where they are specifically added. This means agents with permission to create reports can still create reports that do not include the filter, which would allow them to see all tickets.

    With the way Insights is set up now, there isn't a good way to set up the sort of dynamic role restrictions you're describing. It would take a joint engineering effort and major platform overhaul. Right now, that project is not on the Insights roadmap.

    That said, we're currently working toward our own analytics platform - Explore - which will have more flexibility and a more complete integration with Zendesk Support. I don't have a lot of detail about these types of agent permissions at this stage, but this will definitely be valuable feedback for the Explore team.

    I hope this helps! Happy reporting!

    0

Post is closed for comments.

Powered by Zendesk