Creating a new Support agent should not automatically give Explore access.

3 コメント

  • Andrew Forbes
    Zendesk team member

    Hey Dan,


    Wanted to let you know that this is available today, albeit a little hidden. I will bring your concern up with our team and we will have a discussion around changing this default.


    To adjust these settings today, you can do so from the Explore admin page:

  • Dan Ross
    Community Moderator

    Hey Andrew,

    Thanks for this. I've updated to No Access. It only solves half the puzzle though, and stops the permission from being assigned to NEW accounts.

    There is still the issue of Editor level permission being given automatically to any agent profile viewed by an admin, without admin consent to enable this being needed.

    ---Here's an example of how this presents a problem for an enterprise---

    Let's say I have Agent X, who has been with the Company for two years. Agent X is amazing at providing support to the Company's users, but their role does not require access to reporting. In fact, there's sensitive data from other teams that Agent X doesn't and shouldn't have access to.

    As an admin, I open Agent X's profile to make changes to their Group, they've been promoted to the 'Level 2' agent group, but nothing else should be changed.

    Just by opening Agent X's profile, the Explore toggle is set to active and Editor level permission is given. No prompt appears asking if I want to allow this access, Zendesk just does it for me, in spite of my Default Explore Role is set to 'No Access'. 

    This unannounced 'feature' now has caused Agent X to be able to access our reports and see data not meant for their eyes, because no one noticed the Explore toggle slide over when changing Agent X's groups.

    In fact, Agent X could even edit those reports because of the generous permissions given by Zendesk by default, and such alterations would not be obvious to admins or other users because the query management in Explore doesn't show who last edited a report, just a date it was last edited.  The Company's data is now inaccurate and important decisions may be made off this altered data because of poor access management. 

    --End example--

    Please consider removing this behaviour and respect the settings in the Default Role config in explore. No Access should mean No Access by default. Zendesk is company that likes to pride itself on helping to support ITIL practices, but this totally disregards ITIL access management processes. 

    We should be able to have users go through a proper access management process, (like the example below)  to get access to a feature or tool, not just giving it to them with elevated permissions because someone looked at their account.

    Process Activities of Access Management

  • Justin Federico




Powered by Zendesk