Case Activity Assignment Restriction
Overview:
We have had a few security complaints from a few clients using cases. They mistakenly assigned an activity to a contact who was not supposed to see the details of the activity.
How it works right now
Currently, a user can create and assign an activity to any CiviCRM contact. This in turn sends an email notification to the assignee. However, some users have reported that they mistakenly assigned activities to contacts with similar names which meant that someone who should not have access to any details of the activity got a link stating some basic details of the activity.
Whilst, the contact who received the email wasn't a CiviCRM user, so they couldn't not login and edit the activity, just some basic details in this case acted as a security breach as the table in the email already revealed more about the activity.
New Implementation:
We want to add the ability to restrict the assignment of case activities to a group.
Points to note- (UPDATED ON 07/01 to have this setting on the case type)
- This can live in the case type settings ie the user can define which group can an activity be assigned to per case type (civicrm/a/#/caseType/n where 'n' is the ID of the case type)
- We can have 2 options for the field "Case activity assignment to" - 1. All Users (DEFAULT) 2. Restricted by group
- On selecting 2. - the user will be able to select a group
- Once a group is selected, the user will only be able to assign a case activity to contacts within the selected group
- If an activity from outside cases is "Filed" on case - and if the assignee is not a part of that group - there should not be any new notifications going to the assignee (this is already working this way ie no notifications are sent to the assignee on filing an out of case activity to a case)
Feel free to reach out to me on Mattermost if you need any clarifications.
Thanks