After updating VSA to 188.8.131.52, any account that is created results in a notice sent to every other user, identifying the new added account and effectively compromising platform security by broadly announcing new account IDs.
The notes from the update are such:
If this only notified the Master account, or could be configured to notify specific accounts (or even an email D/L), this would be a good security feature. As currently functioning, it can be a security risk instead. I have been told by engineering that this currently cannot be configured or disabled by the MSP.
Since we support many MSPs around the world, we have been receiving these notifications from those that have recently updated their VSA platform. I started configuring our new VSA platform this morning, creating 17 new accounts, and as each account was created, every other user was notified of the new account. The users I created were assigned a role with restrictive "Technician" rights, and yet the notice indicated it was a "Master" account. I stopped short of creating the accounts for the customers that use our VSA, as I do not want to share one customer's information with any other customer. It clearly seems that there is an issue with determining the role access rights, which causes the notice to be sent for/to all users.
I have opened Kaseya support ticket 336653 for this issue. If you are experiencing this notification being sent to more than just your admin users, I would suggest opening a support ticket and reference our ticket.
Glenn, do the new users have master Scope? Wondering if that is enough to trigger it?
I just heard from support:
Any account with Master (or System) Role or SCOPE (regardless of actual Role rights) is considered to be a Master account and its creation will be announced.
Any account with Master (or System) Role or SCOPE (regardless of actual Role rights) is will receive the notifications.
I think this is a great security feature, but slipping it in with barely a mention in the release notes is NOT a good way to implement it. The above two sentences would have gone a long way to help understand what's going to happen, and might cause you to adjust your methods.
I usually create an Internal scope for our team, plus for any customer access. We're moving to a new VSA server with the Tenancy module so we can split off some heavy VSA users. I created our internal users with limited access role but the System scope. Had I known, I would have created the Internal scope again - just might do that and recreate the accounts, since we're not live yet.
What really caused a "panic" is that I had been receiving similar alerts from other MSP customers, both on-prem and SAAS and could not figure out why we were being notified. Now it's clear.. :)