When invoking individual certification an admin can open and take decisions if they get the certification link via the E-mail template (name: Certification)
Only the reviewer should be able to see the active certification and the link embedded within the template should also be accessible by the configured reviewer. And only they can take a decision unless it has been re-assigned again by the actual configured reviewer.
What product feature is this related to?
Certifications
What are the steps to reproduce the issue?
Configure a certification and set an individual reviewer.
Copy the certification link which is embedded in the e-mail template of Certification
Open this link as an admin
Take decisions even though the certification is not re-assigned by the actual reviewer.
Do you have any other information about your environment that may help?
Can you also provide step-by-step instructions to recreate the scenario? A list of steps that I can follow to reach the same outcome would help myself, and others, reproduce the issue, which would make a stronger case for engineering.
I was not able to replicate it for the only below combination:
Reviewer not having any user level setup.
Now I do agree that we have API functionalities which allows a user with ORG_ADMIN or CERT_ADMIN
having the ability to manage campaigns.
My concern is for the following scenario which I again know is a really corner case but if an admin can route the e-mail to their inbox it will be pretty easy for them to then proceed with revoking or approving review items within a configured campaign without it being officially re-assigned to the review item.
As for how I was able to replicate it, below are the steps:
i. Configure an individual certification campaign and select an end-user persona as a reviewer.
ii. Generate the campaign and which should trigger the relevant e-mail template for Certification kick-off.
iii. Route the e-mail to an identity who has ORG_ADMIN and they can now use the embedded link within the generate campaign to easily navigate through he UI and proceed with taking the decisions instead of an actual reviewer.
iv. Post the campaign completion the Campaign still shows up within the initial reviewer’s completed certification tab but when opening the said campaign a small indicator shows that someone else has taken the decision.