User permissions are flawed when a user is a member of multiple teams / allow teams to own objects
Background:
Objects are owned by/assigned to users.
Permissions are set at the user level and restrict access to objects (contacts, deals, tickets). Available permissions:
Everything
Team only (user can see all objects it owns AND objects owned by other users in the user's teams)
Owned only
None
The problem:
The 'team only' permission is flawed when a user is a member of 2 (or more) teams
This is because members of the 2 teams can see all objects assigned to the user. This is problematic because some objects owned by the user should be visible to 1 team only
Pracitcal example:
An EU-based user is a memebr of 2 teams
Team 1: consists solely of EU-based users who process tickets for EU clients (data protection laws & client contracts mean EU client data can only be accessed by EU-based users)
Team 2: consists of both EU-based and non-EU-based users who process tickets for non-EU clients (there's no restriction on EU-based users accessing non-EU client data, meaning the EU-based user can be a member of Team 1 and Team 2)
The 'team only' permission fails because any object assigned to the EU-based user is visible to all users in Team 1 (EU) and Team 2 (non-EU). This means non-EU used see EU-onlu data, so breaches data law & contractual commitments
The solution:
The solution is to allow objects to be owned by teams. The 'Team only' permission would need to look at which team an object is assigned to and grant access to users who belong to that team.
It would still be possible for a user to own an object, as this is useful in other scenarios. However, it would not be possible for an object to be owned by a user and a team simultaneously, they would be mutually exclusive.