Skip to main content

Hello IncidentIQ team!

 

Our school is currently weighing the pros and cons of giving parents and students direct access to IncidentIQ for ticketing, as we have previously only allowed tickets to be submitted through the guest submission portal, and followed up through email.

 

In investigating a way to grant login access to users while providing the least possible amount of permissions, we have noticed that users can look up other users’ assets through the “Add Favorite” button on the “My assets” navigation bar. Additionally, access through absolute URLs is not restricted either. This is not optimal, as a user with an account and a serial number or asset tag could potentially look up the status, ownership, and email credentials of another user, as well as other information we have synced from our MDMs (network details, last usage data, etc).

 

Ideally, we would like parents and students to only have access to the devices that are directly assigned to them, or to their children to aid with ticket submission. Are there any permissions we are missing, or options to lock the ability to add favorites?

 

No limitations on searching for assets.
A few details from IIQ/Intune that could be considered a PII risk.
Permissions granted for Student/Parent roles.

This looks to be a data leak.  How/why can a Parent find all of the assets?
😮 😳

@DLeyden 4909d0d pca Thank you for submitting your question to our community! 😄

I am currently looking into this with our development team! I will update you once I hear back from them with an update. 

@DLeyden 4909d0d pca While this has been submitted to our developers for review, it would be a workaround to direct parents to the quick ticket menu instead of the “My Assets” tab. 

You can set up a Quick Ticket for a generic student device (either model or model category), then set up your issue categories and issues. Additionally, you would need to add a custom field requiring them to enter their child’s asset tag. 

AD_4nXe6G-PdP2PTxIEXyZnrxxf4nFAKvwmeTi63gU3uPNNzgqFPAQZ776cns79NEdeKYUnP7YAo5zdrkSfKajm9rpXRvlTz4e-Q2iqiROvqdyDYOk0VXRXk34hvpVJm9gWBGtftxIa-KWtxyEVYqyYT1Psafq5q?key=1hliOgPswvGq-EhcJhigFg

The parents can then easily submit a ticket with the asset tag. The agent working on the ticket will copy and paste the asset tag to update the ticket with the proper asset.

@Jessica Adkins Thank you for the recommended workaround, but we can’t really implement the parent login until the ability for parents or students to add favorites has been restricted or addressed, as it constitutes too much of a DLP risk for our schools. We utilize asset information quite extensively for automation and information collection, as well as to selectively share information about assets to agents who do not have access to other systems, so restricting information flow into those assets is not an option either.

 

Our ideal implementation would be that parents would automatically have all of their students’ devices automatically populated as favorites when they log in, as we provide a small variety of devices and families often submit tickets about the incorrect asset. This causes complications between IncidentIQ and our inventory system, as we need to make manual corrections when a family sends back a device that’s assigned to a different student, or is mistaken about which device belongs to which student when one student withdraws and the another remains with the school.

 

If this issue does get addressed, implementing quick tickets is a great idea though 🙂. Please keep us posted on this, as we have a very tight time window to implement any broad changes while students are out for the summer!

@DLeyden 4909d0d pca I completely understand, and we will definitely keep you updated!

@Jessica Adkins Can we please get an update?

I went ahead and created an idea for this thread; we are working on breaking down those permissions more in order to limit visibility. I was advised by my team to go ahead and create an idea for you to upvote and follow for updates: 

 

Reply


Terms & ConditionsCookie settings