Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Shared participants can access customer's JSM profile on portal.

Kamlesh Panchal April 12, 2024

1. Customer created a ticket.
2. Agent replied to that ticket.
3. Customer replied via email including external vendor.
4. External vendor replied on that ticket.
5. Agent replied on the ticket.
6. Now, customer and external vendor both received email but if I check the recipients, in customer's inbox, the email (sent on step#5), external vendor's email address is missing.
Also, when checked external vendor's inbox, customer's email address as recipient is missing.

This is not expected behavior.

Now, after 5th step, if customer need to reply to the ticket, they will have to manually add external vendor while replying and vice-a-versa for external vendor.

Now when external participants received email, there is a link View Request. It redirect external user to JSM customer portal which is actually a customer's logged in session. 

This is privacy/security critical issue. External vendor can change profile details. Although password change action seems challenging as external user would not know current password and if external user clicks on reset password, link email goes to customer. 

But still this is breach of security. 

1 comment

Milad S_ April 14, 2024

Hi Kamlesh,

Regarding "Customer replied via email including external vendor.",

I assume, given your configuration on customer permission, this step made the External Vendor a Request participant; hence, the user will have access to the ticket, receive notifications, etc. 
If you select the following setting, existing customers can create new users or add them to the project by cc'ing their emails in the reply.

CleanShot 2024-04-15 at 09.55.21.png

I guess it is up to you to decide whether you want the External Vendor added to the ticket and you can change this settings accordingly.


Regarding "Now, customer and external vendor both received email but if I check the recipients, in customer's inbox, the email (sent on step#5), external vendor's email address is missing. Also, when checked external vendor's inbox, customer's email address as recipient is missing.",

These emails you are referring to (in step 5) are notifications. In other words, the Reporter and the Request Participant received an email notification upon a comment added to the ticket.


Regarding "Now, after the 5th step, if the customer needs to reply to the ticket, they will have to manually add an external vendor while replying and vice-a-versa for an external vendor."

No, that is not the case. Any reply will add a comment and, as a result, generate an email notification to all customers involved. A customer can see who will receive emails from the email as shown below (this is a default setting, however, you can control how and where to show the recipients)

CleanShot 2024-04-15 at 10.04.26 .png

I also struggle with some customers who are very used to the way email works. Even if I told them that all customers involved would receive an email notification, they still cc a user, which causes the other user to receive two emails (i.e., email notification as a result of comment and email as a result of being cc'd in the reply)


 

I hope this helps. I am not defending how JSM email notification is designed or works; I am just describing it as I have encountered this question before.

 

Kind regards,

Milad

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events