Share
Report
70I have been doing some security testing today, and I noticed a weird trait of the CRM security model. Here is the scenario:
User 1 is in the Practice Management business unit with the practice management user security role (meaning he can see notes and activities from other business units).
User 2 is in the Field Development business unit with the user security role (meaning he can only see his own notes and activities)
If user 2 owns a contact and adds notes and activities to it, he can see those notes and activities – good.
If user 1 owns a contact and adds notes and activities to it, he can see those notes and activities, but user two can only see user 1’s contact (not the notes and activities) – good.
If user 1 adds activities to user 2’s contact, user 2 cannot see those activities – good.
If user 1 adds notes to user 2’s contact, user 2 can see the notes even though user 2 has user read permission on notes – bad.
If I assign user 2’s contact to user 1, user 2 can no longer see user 1’s notes on that contact but can still see his own notes – good.
This seems like a flaw in the security model. Activities behave as expected in that the owner of the activity determines who can see it depending on security roles and business units.
Notes, on the other hand, seem to use the parent record’s owner to determine who can see it instead of using the owner of the note.
Has anyone else come across this scenario? Is it by design that notes do not use the note owner when determining visibility?
*This post is locked for comments
All responses (
Answers (
