Utilizamos cookies para intentar brindarle una mejor experiencia en Freshdesk.
Si desea saber más sobre el tipo de cookies que utilizamos y sobre los motivos y cómo las usamos, lea nuestra Política de privacidad. Si no le gustan las cookies o está a dieta, también puede desactivarlas por completo. Solo tenga en cuenta que en Freshdesk nos encantan las cookies (sobre todo las de chocolate), y que algunos apartados de Freshdesk podrían no funcionar correctamente si las desactiva.
También daremos por hecho que acepta y está de acuerdo con la manera en que usamos las cookies, tal como se describe en nuestra Política de privacidad, a menos que decida desactivarlas por completo a través de su navegador.
We are proposing an update to the privilege control system to introduce a new or extended privilege for the “Add Master Profile” functionality. This update is necessary to address several critical security risks, including:
Unauthorized changes to guest data
Potential for fraudulent billing manipulation
Missing or inaccurate audit trails
Current Issues Observed:
Users are able to modify the master guest profile even if they don’t have the “Change Guest Profile” privilege assigned, leading to unauthorized updates.
When selecting Add Master Profile during booking, users can input new details, and the Save button becomes enabled, even without the necessary privilege.
Clicking Save does not create a new profile; instead, it overwrites the existing master guest profile.
The audit trail incorrectly logs the action as Add Guest Profile as a New Guest Added, without showing the details of the old or new guest.
1 Votos
1 Comentarios
Community Lead publicado 20 días hace Administrador
Hello,
Thank you for sharing this detailed suggestion and highlighting the potential security and audit concerns.
We truly appreciate the effort taken to explain the scenario and the impact around guest data integrity, billing accuracy, and audit trail consistency.
We have reviewed the request regarding enhancement to the “Add Master Profile” privilege control and understand the importance of strengthening access control and improving audit transparency.
At this moment, we do not have immediate plans to implement this change. However, we have noted your feedback and shared it with our Product team for future evaluation as part of our ongoing security and permission framework enhancements.
If this enhancement is taken up in future releases, we will certainly keep you updated through the community.
Thank you once again for your valuable input and for helping us improve the platform.
Kind regards,
YCS Community Lead
0 Votos
Iniciar sesión para publicar un comentario