Inbound email classification behavior different for watermark or subject when user does not have access to the target record


Inbound email classification behavior is different for watermark or subject when user does not have access to the target record. When the domains are different, access is validate. The Reply Incoming emails with "watermark" from users without domain access fails with the error string 'Unable to locate <table> <sys_id> for inbound email processing'. However, Reply incoming emails with subject matching a target record from users without domain access are classified as New without error.

Steps to Reproduce


Note – This procedure uses demo data.

  1. Activate the Domain Support - Domain Extensions Installer plugin.

  2. Create an email account and limit access.

    1. Go to / form and open the abel.tuter record.

    2. Set the Email field to <your-email-account>, and set Domain (Domain A) to TOP/Initech.

    3. Click Update.

  3. Change to domain B: TOP/MSP/Default.

  4. Create an incident and limit access.

    1. Navigate to Incident > Create New and create an incident, for example, INC0010008, with caller "Alejandra Prenatt" and Domain B. Click Submit.

    2. Open the incident, add a work note, and click Post.

    3. Provide information for the other required fields and click Update.

      This will limit the access.

      Create an user on one domain and an incident on another

  5. Go to / and find the watermark generated by the email notification triggered on sys_watermark.

    Find a valid watermark

  6. Impersonate abel.tuter and ensure that user cannot open INC0010008.

    Attempts to open the record show "Record not found".

    Ensure that the user has no access to the record.

  7. On your own email, send an email to the instance with the subject "Testing watermark Ref:MSG0000841".

  8. On your own email, send a second email to the instance with the subject "RE: INC0010008 testing subject".

    Sending the emails

    The second email is classified as New and no error is produced.

    Classified as New

    However, the second email should fail with the same error as the first email when a watermark is added: "Unable to locate <table> <sys_id> for inbound email processing".




    Classified as

    Email logs will show

    First message

    Subject or body with watermark



    Error string 'Unable to locate incident bf7e63e04f097e00d69f5a701310c794 for inbound email processing'

    Second message

    Subject with target number

    No error


    Inbound action of type ‘Reply’ will not match



Educate users that only senders with the right domain are able to update the incidents.

If this issue occurs, ensure the sender is in the right domain or ask them to email to an user with the right domain to update the incident on their behalf.

To avoid creating a new incident on replies with an incident number, create a new inbound action of type New that stops processing for those cases.

Workaround by creating a new inbound action

This example has the following condition:

email && email.subject && /^re:.+(INC[0-9]+)/gi.test(email.subject)

Related Problem: PRB809773