A non-ITIL user (a user with no roles) can create Task-Outages via incidents or problems when the Task-Outage plugin is installed, regardless of the permissions that are set on the Outages table.
Steps to Reproduce
Install the Task-Outage plugin (on the Fuji or Geneva platform).
Impersonate a requester (no-roles) user.
Create an Incident ticket and view that ticket through the ITIL interface.
Under the form actions menu, create a Task-Outage.
Scroll down to the bottom of the Incident form.
Note that you do not see any Outages listed.
Impersonate an ITIL user and go to the same Incident form.
Note that the Outages were created by the non-ITIL user with default values.
Create ACLs on the Task-Outage table that restrict users other than the itil role from creating records.
If you are able to upgrade, review the Fixed In or Intended Fix Version fields to determine whether any versions have a planned or permanent fix.
Related Problem: PRB671214