Users can see batches that are not in their site

Security roles can be secured by site, which allows the user to only see information pertaining to that site.  However, when viewing the Uncommitted Batches tab, a site-secured user can see all batches, whether for his site or not. The batches can also be edited, giving the user access to constituent information from other sites.
We're currently evaluating this issue for a fix in a future patch or service pack.

Steps to Duplicate

  1. Go to Administration>>Security>>Application users
  2. Select a non-admin user and add an All Rights role with Record access to one specific site
  3. Run as this user
  4. Go to Batch Entry
  5. Observe that all batches, regardless of site, are visible and can be edited

Environment

 Blackbaud CRM
 4.0

Was this article helpful?