Issue Summary

There seems to be an inconsistency of loading users into the “Approval” custom field (added during the workflow configuration) while raising a ticket via the Assist app in the request channel vs into the same custom field of customer portal.

In the portal, it only loads the added customers into the project being in private access mode while request channel it loads all the users (license and portal)  in the instance to the approval field when we type some customer name despite being private access mode. Ideally both slack channel and portal should load the same set of users into the “Approval” field.

Steps to Reproduce

1. Add a Approval step in to the workflow of a team managed project in JSM. (As shown in the left side of the attached image below)
2. Set the project access mode to "private". (Under project settings of the team managed service project)
3. Raise a ticket through the portal. In portal, it just loads only the users who have been added to the team managed project into the approval field.
4. Raise a ticket via Assist app in Slack. It loads all the users in the instance to the approval field despite project being restricted.

Expected Results

It should load only the project specific users (customers, agents, admins) into the approval custom field.

Actual Results

It loads all the users in the instance to the approval field despite project being restricted....

Moreover, the “Approval” field is pulling private email addresses (such as Gmail, Yahoo, Amazon, and Atlassian domains) belonging to the respective portal/Atlassian users of the instance. These email addresses are visible to all users in the Slack request channel, posing a significant security risk.

Security Concerns:

• Users have visibility of private email addresses, compromising privacy.
• There is a potential risk of sensitive personal emails being inadvertently exposed to unauthorized individuals.

Workaround

Currently there is no known workaround for this behavior. A workaround will be added here when available