Customer Feedback - UI/UX

[Ameston]

• When I click the link - it took me to my "personal account" by default, and couldn't find the item. I then navigated to the CUSTOMER account, and then was able to find it
• When I click on the "x" next to "viewing CUSTOMER" - it takes me back to my "personal account", but if I don't click it - it obstructs my view - The hamburger menu / horizontal move capability wasn't obvious to the customer
• When I click on the "Risk" (the CVE ID), it opens the side view with the details, the asset is displayed in grey under the Risk (the CVE ID), it's not very prominent
• When I then click on the "occurrences" it shows the list of all items that match that risk, including other domains, but the "attributes" only apply to that instance

Also, we are leveraging this approach for duplicate findings - https://github.com/praetorian-inc/chariot-ui/issues/94#issuecomment-2196726131 (a duplicates attribute). The customer provided feedback that rejected findings with a duplicates attribute are not obvious enough (its unclear why they were rejected or that they were duplicates).

[storbeck]

I don't think we actually need this anymore. Now that avatars and org names are user configurable and it's quick enough to toggle "default" account in the dropdown, I think we should actually just remove the toggle.

A MSP persona will be the only real use case to switch between multiple orgs and the breadcrumb should be obvious enough to know which org they are currently viewing.

If there is no objection, I'll just remove this which will clear up the confusion from the first two bullet points. I think this would remove the concept of "impersonating" and instead it acts more as profile toggle.

[Ameston]

I think removing it will exacerbate the confusion caused by the first point.

When I click the link - it took me to my "personal account" by default, and couldn't find the item. I then navigated to the CUSTOMER account, and then was able to find it

However, I know there are a few solutions in the works for that (SSO and link improvements), but I would recommend holding off removing it until we have a better solution for 1

[noah-tutt-praetorian]

Our theory is that SSO will solve 90% of these issues since corporate users should have their own accounts. As MSP customers switch over to SSO, I'd recommending deleting most of the user/password users that have been provisioned.

[privateducky]

Update: we have since adjusted a few things here to be more inline with other products:

• we spell out the account name in the header
• we spell out the account name on the overview page
• we've removed the purple pill/floater

We believe this will cease to be an issue moving forward but aim to track it for optimizations.

[Ameston]

It doesn't look like the following were addressed:

• When I click on the "Risk" (the CVE ID), it opens the side view with the details, the asset is displayed in grey under the Risk (the CVE ID), it's not very prominent - We need to highlight the impacted asset better
• When I then click on the "occurrences" it shows the list of all items that match that risk, including other domains, but the "attributes" only apply to that instance - We need to make it clearer that those attributes are only for that specific instance.

Also, I wanted to confirm that logging in with SSO will take you to your organization's tenant, not your personal tenant. Re:

• When I click the link - it took me to my "personal account" by default, and couldn't find the item. I then navigated to the CUSTOMER account, and then was able to find it

[privateducky]

On the last comment, that is correct.

I'm keeping this ticket open to address your first two points.

[noah-tutt-praetorian]

Also, I wanted to confirm that logging in with SSO will take you to your organization's tenant, not your personal tenant. Re:

• When I click the link - it took me to my "personal account" by default, and couldn't find the item. I then navigated to the CUSTOMER account, and then was able to find it

To be very explicit @Ameston - SSO users do not have a personal account. When they sign in, they are the organization.

[Ameston]

Does that mean the "delete my account" button would appear for any SSO user? @noah-tutt-praetorian

[noah-tutt-praetorian]

Does that mean the "delete my account" button would appear for any SSO user? @noah-tutt-praetorian

No - apologies, it is a little more nuanced than I initially stated. It would be more correct to say that they do not have a personal account and are always assumed into the organization.

The button might still be showing up, but the backend won't let the call go through. Will confirm.

[Ameston]

Cool. Thank you!

[Ameston]

Three items:

• With the new, larger drawer, we lost the "occurrences" table. I think adding back that singular line that links to the risk table with a query for the risk name that says "X other occurrences" would be helpful.
• We still need to address building a clearer way in the UI to outline duplicate detections (the attribute was not clear to the customer).
• Non-SSO users still have to deal with the confusion of a personal tenant vs MSP tenant. I think we should enhance this user experience to clearly emphasize to MSP customers the difference between their personal account vs MSP tenant.

Thank you!!

[privateducky]

Ok; here is where we are tracking the "merge risks" feature: https://github.com/praetorian-inc/chariot-ui/issues/658

This should solve:

1. Giving risks a plain-text name while maintaining our ability to link risks by their original name/ID
2. Providing a way for the user to close duplicates by merging them into a single risk

For the personal vs MSP tenant topic, I'll spin up a new ticket for our UX researcher to take a look. I believe we're fairly standard in our behavior at this point but we can see what additional clarity we can bring.