A customer recently reported a permissions breach in which a site administrator in their India division unintentionally modified a work order status flow that impacted their Canadian sites. The Canadian division relies on highly controlled configurations and cannot tolerate cross-site setting changes due to accuracy and operational risk.

The intent was to grant the India-based site admin full control within their own site only; however, enabling the Site Admin role—allowed changes to propagate across sites. Per our internal review, the root cause was enabling the Site Admin toggle. This incident has resulted in the Canadian sites shutting down work order usage for nearly three weeks while the complete an investigation.

The client is asking whether there are permission model concepts or controls that could better restrict site-level administration to reduce this risk and prevent similar cross-site impacts in the future.

Ex: adding a flag that would warn the person applying the change that it would affect the user's profile at a Global level prior to accepting the change.