Incidents created without filling out mandatory fieldsDescriptionIncidents were created by a user without filling out the mandatory fields.Release or EnvironmentSupported environmentCauseNo defectResolutionHere are the steps to reproduce: User fills out all the required fields and leaves the screen without submitting the incident for an hour or two2. Later they come back and when they click on submit button, as the session has timed out, it asks the user to log in and they do (but incidents are getting created on the back-end and all the required fields that they have entered were wiped out) Based on more recent incident records (not older than 21 days) there is indication that incident records were created by unauthenticated user 'guest' which could happen if the session times out. Reviewing the relevant transaction log file we can conclude that the mandatory fields were filled out and submitted as such. The authentication expired, therefore the transaction ran as 'guest'. The transaction was executed and the record was created. Some field values were not set, because guest does not have permission to set the values in certain fields due to Access Control List (ACL) write rules.In other words: by design mandatory is only enforced on the form. The authenticated user filled out all the mandatory field values. Because the session expired, the transaction ran as guest, and due to this not underlying field ACL write rules were not met. So, it created the record with information that was provided, however certain values could not be set due to ACL requirement.This is expected behavior unless you prevent unauthenticated to create incident records OR have server side script (in form of Business Rules) in place to perform validation on the server side.