I am not sure if this has been this way all along or whether it’s a recent change, but it was pointed out to me today that a requester has the option to freely alter the «Requester» field when submitting a ticket to be any other email address in our company.
Meaning, johndoe@company.com is allowed to edit the requester field to read <name-of-ceo>@company.com and the ticket will be accepted without hesitation. On the agent end the ticket appears as having been submitted by the CEO, and only by checking the Activity log it would become evident that the ticket was actually entered by John Doe. Obviously, our internal audit team is not impressed.
An obvious way to deal with this would be to make the Requester field hidden (or, ideally, read-only and fixed to the authenticated user). Did anyone yet do such a customization?