The major issue for us is that the restrictions you set in the PEM notification email doNOT carry over to the PEM web pages, particularly the Deliver option. Given that RSA suffered a $60+ million dollar loss because someone released an email that was already trapped in their quarantine, allowing end users to release their own emails is a really, really bad idea. The fact that the PEM Web Access allows all options means we can only offer it to a very few people instead of everyone. That means the ESG administrators need to get involved every time someone clicks Always Permit by accident.
We would like the notification email code modified to escape the email addresses (present them as text instead of links). Why would anyone ever need to click an email address link in the PEM notification email? This is a major source of confusion to people. The only links in the PEM notification email should be the action ones off to the far right, the Subject. and Web Access
If someone is not part of the group allowed to authenticate to PEM, the Web Access link should not be displayed.
(using 7.7.3 currently, in case any of this is fixed in a later version)