End users are able to view work notes despite ACLs in place that restrict them from viewing Work notes.
All supported releases.
In the specific view, if the Comments and Work Notes field has been added instead of the Comments and Work notes fields being added separately and there is no read ACL in place that restricts the read access on the field, this issue occurs. In out-of-the-box instances, there is only one read ACL on the task.comments_and_work_notes field. To view it, run the following query on the sys_security_acl table:
If the out-of-the-box ACL has been modified or a new ACL created that allows other users to have read access, the issue occurs.
There are two ways to resolve the issue:
Remove the Additional Comments and Work Notes field from the specific view and add the Comments and the Work Notes fields separately along with the activity filtered.
Modify the read ACLs on the Additional Comments and Work Notes field to allow access only to users who are allowed to view Work notes.