turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
Trusted Contributor
MATTYBME
Posts: 395

Customer Portal Users are able to Change Case Ownership!

[ Edited ]
Options

08-06-2009 09:05 AM - last edited on 08-06-2009 10:54 AM

There is probably a simple solution here but I need to ask.

 

We have given the Customer Portal Users Profile Edit permission on the Case Object so that they can add Comments and Attachments. However, it seems part of this Edit permission on the Case Object allows the CP User to change the Case Owner. This is a really bad security flaw. 

 

I am going to write up an Idea that asks SFDC to make the Adding of Comments and Attachments a separate permission on the Profile. I understand the Edit permission on the Case Object allowing the CP User editing things like Case Owner, but making Edit permission the only way a CP User can add a Comment or Attachment makes life rather complicated. It seems illogical that in order to stop a CP User from changing the Case Owner you also stop them from adding Comments and Attachments.

 

Does anyone have any tricks to allow Edit permission on the Case Object but stop the ability for them to change Case Owner?

 

Please vote up my Idea related to this: http://ideas.salesforce.com/article/show/10097733/Make_adding_Case_Comments_and_Attachments_seperate...

Message Edited by MATTYBME on 08-06-2009 10:54 AM
My Blog: Just Your Average Salesforce Admins
Message 1 of 15 (3,550 Views)
 
Super Contributor
werewolf
Posts: 3,520

Re: Customer Portal Users are able to Change Case Ownership!

Options

08-06-2009 11:56 AM

Have you considered just removing the Case Owner field from the portal users' Case page layout?
Message 2 of 15 (3,535 Views)
 
Trusted Contributor
MATTYBME
Posts: 395

Re: Customer Portal Users are able to Change Case Ownership!

Options

08-06-2009 11:59 AM

That would seem the obvious but because our internal business workflow demands that our Customers can see who is working on their Case at any one time we can't remove the ability for them to be able to see who the Owner is.
My Blog: Just Your Average Salesforce Admins
Message 3 of 15 (3,531 Views)
 
Trusted Contributor
Mark Silber
Posts: 402

Re: Customer Portal Users are able to Change Case Ownership!

Options

08-07-2009 06:24 AM

You can make the field read-only on the Case page layout that is displayed to CP users. If it's read-only, the "Change" link isn't displayed next to the field.
Message 4 of 15 (3,499 Views)
 
Trusted Contributor
MATTYBME
Posts: 395

Re: Customer Portal Users are able to Change Case Ownership!

Options

08-07-2009 06:40 AM

Another good suggestion but unfortunately something must override the PageLayout Read-Only on that field. The PageLayout assigned to the Profiles accessing the Portal has the Case Owner field set as Read-Only but when viewing the Case Detail page the Users can still edit that field. Unfortunately one cannot change the Field Accessability for that field for the specific Profile and also one cannot edit the Case Field-Level Security on that Profile either. Stumped!
My Blog: Just Your Average Salesforce Admins
Message 5 of 15 (3,497 Views)
 
Trusted Contributor
Mark Silber
Posts: 402

Re: Customer Portal Users are able to Change Case Ownership!

Options

08-07-2009 06:48 AM

That's strange. I just double-checked in some of our Customer Portals and when the field is read-only on the page layout, the portal user doesn't see the "Change" link and you can't change the value. The same is true for a normal Salesforce user -- if the Case Owner field is read-only on the page layout, they don't see the Change link either.
Message 6 of 15 (3,494 Views)
 
Trusted Contributor
MATTYBME
Posts: 395

Re: Customer Portal Users are able to Change Case Ownership!

Options

08-07-2009 06:56 AM

It is weird for sure. It just doesn't make sense that the PageLayout says Read-Only for that field and the actual experience is the ability to change the Owner.

 

By the way on those Portals that you tested, was the Profiles Permission set to Create and Edit on the Case Object?

My Blog: Just Your Average Salesforce Admins
Message 7 of 15 (3,491 Views)
 
Trusted Contributor
Mark Silber
Posts: 402

Re: Customer Portal Users are able to Change Case Ownership!

Options

08-07-2009 07:04 AM

Yep - double checked that to make sure. Are you 100% sure the page layout you are seeing is the same one being used on the CP? Is the profile setup as a normal Customer Portal user or Portal Super User? I don't think that makes a difference in this case, but it might.
Message 8 of 15 (3,489 Views)
 
Trusted Contributor
MATTYBME
Posts: 395

Re: Customer Portal Users are able to Change Case Ownership!

Options

08-07-2009 07:15 AM

Double, Triple and Quadruple checked. Just plain weird! And yes they are Portal Super Users. Thanks for pointing me in the right direction though because I then logged into the Portal from a User who is under a Profile that has the Portal Super User unchecked and they use the same Case PageLayout and they are NOT able to edit the Case Owner.

 

So Portal Super User is the culprit. Checking the Portal Super User overrides the PageLayout Field-Level Security setting of Read-Only on the Case Owner.

 

Any thoughts here Werewolf?

My Blog: Just Your Average Salesforce Admins
Message 9 of 15 (3,486 Views)
 
Super Contributor
werewolf
Posts: 3,520

Re: Customer Portal Users are able to Change Case Ownership!

Options

08-07-2009 09:42 AM

That sounds like it may be worthy of a support case with Salesforce.com.  I can see that issue with portal super users in my own org as well.

 

The only workaround I can think of is an Apex trigger that copies the name of the owner (which can be a queue or a user) into a custom field, and show that custom field on your page layout instead of the owner field.

Message 10 of 15 (3,470 Views)