Customers can see requests from other users in the portal

Hi

The users that opened both tickets did it through email.

They are both in the same company, and they can both see each others tickets without any sort of warning, and because it was done through email there was no options to select.

So I'm guessing and hoping that there is an option somewhere to stop users within the same organisation seeing each other tickets, or some automation thing has kicked in causing the share to happen.

Without the ability to stop users seeing each others tickets, this is going to be a show stopper for us. That option is just wrong on so many levels for privacy and data sharing.

Paul

Maybe the user didn't share the ticket with the organization they belong to, but when sending the email, they added this second person in copy in the email, like CC:

I would recommend that you review your email configuration to consider removing this feature.

Hiya

Thanks for your suggestions so far.

No, no one in the cc. These are test emails I'm doing with two separate users to observe  the results.

Reviewing the email config to remove the feature is what I need to do, but I can't find where this particular setting is, is if anywhere.

What I have discovered is that against the ticket, there is an organisation field with the company selected in there.  If I remove that company field the ticket disappears from the other users view.

Firstly this doesn't make sense that this field controls the sharing permission.  Both users are actually in the same company so it makes sense that the company field is populated to inform the agent which company that user is from regardless to the 'sharing' option. 

So I'm going to guess there is a setting somewhere that says 'Users in the same organisation (based on that organisation field), can see each others tickets', and that needs to be disabled.

You should be able to set the organisation field against a user/ticket without tickets being shared between users in the same organisation.

I have no idea where that option may be though.

P

@paulcreedy 

No, no.

Unfortunately it doesn't work like that.

If both users are part of the organization, when opening a ticket and sharing with the organization, the other participants can also have access.

The only way for you to get the Organization without the ticket being shared with other users, would be to create a select list field with your organizations and guide or automate the filling according to the reporter.

But there's no way to use the "Organizations" field without automatically allowing it to share the ticket with the rest of the organization's participants.

That would be very disappointing if that is the case.

"If both users are part of the organization, when opening a ticket and sharing with the organization, the other participants can also have access."

That's the thing.  I've just done one through the portal and specifically said Share with NO ONE, yet because they are in the same organisation on the ticket they can see each others tickets.

Either there's a bug here or some screwy config setting is messed up somewhere.

If the same user, when opening through the portal, does not want to share with anyone. Other users in your organization will not see the ticket. This is a fact. However, in the ticket, you will also not have this user's organization filled in the field.

Please understand: If the "Organization" field has a value, this ticket is being shared with all users present in there organization. You can see a little more here: https://support.atlassian.com/jira-service-management-cloud/docs/what-are-service-project-customers-and-organizations/

Thanks Fernando

Unfortunately it is also a data breach if that truly is the case and it all hangs on whether the organisation field is filled in or not.

Example:

HR puts in a ticket to say that a member of staff is going to be dismissed, or is going on long term disability sickness, so IT can get ready to disable their accounts.  HR does NOT share the ticket with anyone because it's confidential.

When the ticket arrives, the 1st line agent adds the organisation of the user to the ticket so that other agents know which organisation that customer is part of.  Maybe they manage thousands of users some with similar names.

All other users of that organisation can now see the member of staff that is being dismissed, and possibly even why.

I can't believe that it all falls on that one field that mentions nothing about the ticket being shared with all other users in the same company.  From a 1st line perspective it's just a field that shows what organisation the user on the ticket is in.

That is a fundamental data breach of confidential user and company data if that is the case.

I'm hoping Atlassian support can confirm this is the case or not.

@paulcreedy I agree with you that the ability to share with the organization being based solely on the Organizations field is poorly thought out.

That said, it sounds like you might have the default for that field set to share with the organization. Go to Settings --> Products --> Organization management. Make sure the setting Should new requests automatically be shared with a customer's organization? is set to No, don't share email requests with the customer's organization. Requests sent from the portal will not be shared unless the customer selects otherwise.

If you want Atlassian to add the ability to hide the sharing option from the portal then add your vote to this issue: https://jira.atlassian.com/browse/JSDCLOUD-10908

Also the workaround described in this issue, https://jira.atlassian.com/browse/JSDCLOUD-4382, might be a viable option for you.

Hi Connor

I eventually found that option yesterday and it had 'some' effect.  I also found an automation that automatically populated the organisation field.

The end result is:

On ticket creation from email, the organisation field is empty, and the ticket is not shared with other staff.

On ticket creation through the portal, the sharing option is defaulting to 'No one', and the organisation field is empty, and the ticket is not shared with other staff.

So far so good, but.....

When the organisation field on the ticket is subsequently populated, the ticket is then shared with other staff without warning.

This is a field that has an implied purpose.  To specify which organisation the user of the ticket is a member of.  There is no other way on the ticket to see the organisation other than to populate that field.

To then also use that same field to share all the potential confidential information with every other member of staff without warning is absolutely WRONG.

This is a really really bad idea and one of the most stupid and hidden I've ever come across is a professional paid for product.  What is essentially happening here is a 'feature' is being controlled by a completely unrelated field that has another more legitimate purpose.  There should be a separate field for sharing, not lazily hijacking another field for it's purpose. 

A user populating the organisation field is also unknowingly allowing all other users in an organisation access to potentially confidential information.   This is a serious flaw in the product and would very likely be considered a data breach under UK and EU law.   

There is absolutely nothing to indicate that the ticket is about to be shared with the entire organisation.

Yup I agree with you, associating a customer with an organization and sharing issues to all customers in an organization shouldn't be tied to the same field.