KI-36

Key/Summary

KI-36 Inbound Form Is Public Read/Write

Status

Done

Created

09/29/2020

Updated

12/17/2021

Description

The default access to the Inbound Form object is Public Read/Write, which allows any user within a given instance of Medical Information Cloud - Inquiry Management to view all Inbound Form records even if they are in a different region. This means that users have access to all PII contained within Inbound Form records.

Impacted Capabilities

None

Affected Apps

Medical Information Cloud - Classic

Medical Information Cloud - Lightning

Affects Versions

None

Fix Version

MIC V11

Steps to Reproduce

This issue is not immediately observable in the standard configuration as Inbound Forms are not easily accessible by Agents out of the box. Certain customizations may make Inbound Forms more accessible, which in turn would make this issue more observable. For those administrators looking to observe the issue, Inbound Forms can be enabled for Salesforce.com reporting and then accessed as a non-system administrator. For more details on how to enable objects and users for reporting, please refer to Salesforce.com documentation.

Workaround

Customers can change the default sharing model from Public Read/Write to Private without impacting the upgradability of the Medical Information Cloud - Inquiry Management application to V10. In the V11 release of Medical Information Cloud - Inquiry Management, Mavens is changing the Inbound Form object's default access to Private. For Customers whose users need access to Inbound Forms, Mavens recommends changing the sharing model to Private and adding sharing rules now so that users do not lose access to Inbound Forms in V10. To ensure users receive the appropriate access to Inbound Forms: