Project Portfolio Office (PPO) provides functionality to notify individuals via e-mail when an item has been updated, including updates to Projects, Tasks, Documents, Issues, Leads or any other entity within PPO. The notification can be sent to individuals directly associated with the item (e.g. the issue contact person) as well as indirectly via the project. The notification may contain any or all of the details associated with the item. Any user with the appropriate privileges may set up a Business Rule to send such a notification.
PPO will by default only send these notifications to individuals if they are also associated with an active user account. This precaution is there to reduce the likelihood of the unintended disclosure of confidential information. Only users are associated with a user group so in the case of non-users, PPO cannot determine whether the recipient should actually have access to the item.
Two examples of unintended disclosure are detailed below:
- A notification has been set up to notify the project sponsor when a project or any related item has been updated. The project sponsor has since resigned and joined a competitor but the project sponsor field on the project has not been updated and the sponsor’s employee record has not been made inactive. When the project is updated the ex-employee is notified of the changes on the project and can see all the details associated with the project.
- A PPO customer runs both internal and external projects (projects for clients). A project owner field has been set up on the project which is either an internal resource or a client. A manager of internal projects asks the PPO administrator to set up an e-mail notification to notify the project owner of updates to cost records. The administrator sets it up but does not limit the notifications to internal projects. When an external project cost record is updated, the project owner (in this case an external customer) is notified thereby inadvertently disclosing the profit on the contract.
Allowing e-mail to non-users
Customers who understand these risks but still want to send notifications to non-users may elect to do so by going to Administration >> System Configuration and enabling the sending of e-mails to non-users (it is under Technical Settings). Note: only the user designated as the Key Contact will see or be able to change this setting.
The user will be asked to confirm that they understand these risks and that they have the authority to accept these risks on behalf of the instance owner before being allowed to change the setting.