Users can merge agent records without contact information permission

Description

Users are able to merge two agent records without permissions to the entire agent record, causing data loss issues. I was merging two agent records with links to two different repositories. I did not have the permission set to view contact information in one of the repositories so deleted that contact information accidentally when I merged the two records because it didn't display on the merge screen or the preview screen.

Environment

None

Activity

Show:
Christine Di Bella
September 10, 2020, 6:02 PM

Merging agents is already a distinct permission and, like viewing contact details, can be added or removed from the permissions for a user/permission group. A system administrator or other person responsible for managing permissions should work with you to determine under what conditions a user should have one or both of those permissions.

Elizabeth Roke
September 10, 2020, 8:03 PM

Understood. My concern is that it is possible to merge an agent without having the permission to see contact information. If a user with the merge agent permission merges two entities with a contact detail permission in one repository but not the other, there is a possibility that data can/will be overwritten accidentally. I am suggesting that having these permissions function separately from each other may lead to data loss and perhaps should be tied together…i.e. merge permissions should require contact detail permissions since a merge permission necessarily has to edit/touch the contact details.

Randy Kuehn
November 11, 2020, 1:10 PM

Dev Pri reviewed this ticket and is recommending passing it with the consideration that if agent contact details will be lost in merger and user does not have permissions to view, block the merger

Assignee

Mark Cooper

Reporter

Elizabeth Roke

Priority

Minor