-
Suggestion
-
Resolution: Unresolved
-
None
Issue Summary
Users in "Team B" are able to see the alerts that are assigned to "Team A", when the alert was created using the API under the "Team A". This was noticed while attempting to toggle off "see all alerts" within the main alerts page. This results in the user noticing that alerts show even though they are not members of any teams, schedules, or escalation policies on the team which is listed as the responder on the alert.
Steps to Reproduce
- Create a team owned API integration assigned to Team A
- Use another admin user account to generate an alert in the UI that is not apart of Team A. Select the API integration for Team A, and then in the responder's field input Team B
- When the alert is created it lists Team A as the responder since they own the integration, but the members of Team B is able to see the alert as if they were a responder even though they are not listed in the UI
Full replication video can be seen here: https://share.getcloudapp.com/2Numdqo0
Expected Results
When the integration that is owned by Team A processes and creates the alert the relationship with Team B would go away. The alert would then fail to return if an Owner or Admin toggles see all alerts and they are not a member of the responder team.
Actual Results
The UI believes that Team B was a responder and allows it to be viewed via the team API key and within the UI when toggling off see all alerts. Toggling off see all alerts is expected to only show alerts for which you were a responder on.
Workaround
Update the source sending in the payload to the correct responder or don't specify one. Not specifying one at all will result in the integration assigning it still to the correct team and prevent viewing of the alert by someone who is not actually a responder
[OPSGENIE-517] "Team B" is able to see the alert which is assigned to "Team A", when alert was created using the API under the "Engineering Team A"
Hi everyone,
From my understanding, there are two ambiguities around this issue. The first one is alert visibility and the second one is the owner team concept.
Alert Visibility
It is answered at: https://support.atlassian.com/opsgenie/docs/navigate-the-alerts-list/#Visibility-of-Alerts
Users can only see the alerts assigned to them; plus the alerts that their teams are added to.
Also, we have a small mention of this behavior in the last paragraph of https://support.atlassian.com/opsgenie/docs/who-are-alert-responders/
... If a team is added to an alert, all members of the team gain visibility....
If you would like to give visibility just to your teams for specific alerts, you can configure your teams’ Routing Rules accordingly by adding a rule with the matching criteria and routing those alerts to ‘No one’.
Owner Team Concept
Question of why are we not seeing "Team B" as a responder on that alert is also hinted at https://support.atlassian.com/opsgenie/docs/configure-a-team-dashboard/#Team-integrations . We are discarding responders in the request body but still give them visibility for the sake of backward compatibility
Any alert created via integrations that are assigned to a particular team are routed to the team that this integration is assigned to. In other words, a team restricted integration can not have any responders other than the assigned team to route the alert.
In Conclusion
You are right about these two issues can create confusion and are hard to understand when used together. However, at the moment most of our users are able to use this functionality for granting visibility to alerts without notifying others and we don't want to affect their workflow on short notice. Let me move this ticket to suggestion and re-evaluate it in the future depending on its popularity
I had the same issue and opened this ticket https://support.atlassian.com/requests/OGSP-130268
It was difficult to understand what was going on since the activity logs did not show any information about what was happening.