We have a Validation Rule that prevents ticket closure if the "Subcategory" field is blank. This has been working fine, but recently we noticed a few tickets per day somehow being closed without a "Subcategory". Upon further investigation we found the Validation Rule works as intended within a ticket but can be bypassed by agents via mass actions from a list view.

It also appears agents who do not have 'Delete' ticket permission in their profile are able to do so from list view using mass actions. I've confirmed this to be true in both my own testing and in the system logs.

When permissions and restrictions are put in place for a user the expectation is they are enforced throughout the system. Can you please investigate why these backdoors exist and what the plan is to close them?

Thank you,

Jason