Should log access requests go through account ownership verification?
Request for comments
Need
In this ticket the customer is requesting logs of all activity of one of their users. The process is covered in our workflow, however there is no mention there that we should first go through an Account Ownership Verification with the requestor making sure they are who they claim to be. I have checked quite a few tickets for this, and it does seem to be indeed that we do not normally go through account ownership verification after checking that the requestor is an Owner
in the namespace and both the requestor and the user in question are classed as Enterprise
users.
I am wondering if this is sufficient as we can't really be certain the requested information does not end up with a hacked email account.
Approach
We could add the requirement to go through Account Ownership Verification to the existing workflow.
Benefit
Lower risk for handing our log information to an unverified party.
Competition / Alternatives
Keep the workflow as it is to avoid additional overhead and a more streamlined experience for the customer.