I found that users with any of the basic roles one might assign a regular joe employee (even ones that sound like they are super restricted like Attendance Only role) can view all kinds of sensitive dashboard’s especially ALL of the templates. As they are templates, I cannot change the permission on them. I created a test user to confirm this behavior and indeed it is as stated. As the test user I was able to view sales figures, ticket KPI’s, agreement finance data including profitability and more.
I am kind of shocked as to why the Attendance Only role is being added to finance dashboard TEMPLATES that then cannot be modified/changed. I also found that dashboards created for us by Pro Services had added this and other roles to them without discussion or approval, meaning right out of the box all new custom stuff is accessible by all employees. None of this was covered during onboarding and I only figured this out by one of my staff telling me they could see stuff that they probably shouldn’t see.
This appears to be a serious security issue. Not sure if this is the same for everyone else, but you might want to check yours and raise a flag.