There is a setting in Agent roles that allows agents to modify groups and organisations.
When checked an agent can add a end-user to an organisation. (useful for larger customer care teams in big companies, e.g. B2B support).
But toggling this option also allows an agent to change who is in a specific group. Including him/herself.
Let's imagine the following scenario:
- Company X has the following departments in Zendesk: Customer Care, Finance and HR.
- Customer Care is public facing B2B
- HR is internal employee support on the same instance
- They offer B2B support with a heavy focus on Organizations, VIP levels and Guide segmentation.
Agent A is part of the Customer Care team and can only see tickets for his/her groups
Since Company X gives B2B Support, Agent A needs to be able to add users to organisations so they can get specific support, see specific guide articles,..
So far, a logical Zendesk setups.
Agent A can add himself to the HR group thank to that toggle. He can see tickets from his colleagues, see personal information from others.
Or Agent B can add himself to the Finance group and see info about invoices, transactions,.. also not really within his allowed scope.
We can prevent this by unchecking the permissions. But then our agent can not change end-user profiles and organisations.
The fact that Agent A can add himself to a group he does not belong to is a problem.
One would assume we can detect this action. But, group changes are not part of the Enterprise Audit log. So not only do we have a data breach, it's also impossible to detect it.
Am I wrong that this is weird behaviour? Or do I miss something obvious that would prevent this from happening?
One solution would be to have two checkboxes, one for ORG, one for GROUPS.
Iniciar sesión para dejar un comentario.