We use cookies to try and give you a better experience in Freshdesk.
You can learn more about what kind of cookies we use, why, and how from our Privacy policy. If you hate cookies, or are just on a diet, you can disable them altogether too. Just note that the Freshdesk service is pretty big on some cookies (we love the choco-chip ones), and some portions of Freshdesk may not work properly if you disable cookies.
We’ll also assume you agree to the way we use cookies and are ok with it as described in our Privacy policy, unless you choose to disable them altogether through your browser.
We are proposing an update to the privilege control system to introduce a new or extended privilege for the “Add Master Profile” functionality. This update is necessary to address several critical security risks, including:
Unauthorized changes to guest data
Potential for fraudulent billing manipulation
Missing or inaccurate audit trails
Current Issues Observed:
Users are able to modify the master guest profile even if they don’t have the “Change Guest Profile” privilege assigned, leading to unauthorized updates.
When selecting Add Master Profile during booking, users can input new details, and the Save button becomes enabled, even without the necessary privilege.
Clicking Save does not create a new profile; instead, it overwrites the existing master guest profile.
The audit trail incorrectly logs the action as Add Guest Profile as a New Guest Added, without showing the details of the old or new guest.
1 Votes
1 Comments
Community Lead posted 18 days ago Admin
Hello,
Thank you for sharing this detailed suggestion and highlighting the potential security and audit concerns.
We truly appreciate the effort taken to explain the scenario and the impact around guest data integrity, billing accuracy, and audit trail consistency.
We have reviewed the request regarding enhancement to the “Add Master Profile” privilege control and understand the importance of strengthening access control and improving audit transparency.
At this moment, we do not have immediate plans to implement this change. However, we have noted your feedback and shared it with our Product team for future evaluation as part of our ongoing security and permission framework enhancements.
If this enhancement is taken up in future releases, we will certainly keep you updated through the community.
Thank you once again for your valuable input and for helping us improve the platform.
Kind regards,
YCS Community Lead
0 Votes
Login to post a comment