New Privilege Control for Add Master Profile

We are proposing an update to the privilege control system to introduce a new or extended privilege for the “Add Master Profile” functionality. This update is necessary to address several critical security risks, including:

• Unauthorized changes to guest data

• Potential for fraudulent billing manipulation

• Missing or inaccurate audit trails

Current Issues Observed:

• Users are able to modify the master guest profile even if they don’t have the “Change Guest Profile” privilege assigned, leading to unauthorized updates.

• When selecting Add Master Profile during booking, users can input new details, and the Save button becomes enabled, even without the necessary privilege.

• Clicking Save does not create a new profile; instead, it overwrites the existing master guest profile.

• The audit trail incorrectly logs the action as Add Guest Profile as a New Guest Added, without showing the details of the old or new guest.

0 Votos