On the Incident Template, fields like Product/Operational/Resolution Categories and Assignment Groups are dependent on the customer company. The current incident template does not have a field to select the customer company which means that no validation occurs on the company specific fields. The lack of this validation also means that the "Support Group Assignment Configuration" rules can be by-passed simply by using a template.
For multi-tenant systems with a managed service provider, this makes the system unusable OOTB and also bypasses all the new multi-tenancy rules of Remedy 9. I'll illustrate with an example.
Consider a multi-tenant system with a MSP and two operating companies, Calbro Services and Invention Inc. The data for two operating companies needs to be segregated. The MSP Service Desk Operator has access to both Invention Inc and Calbro Services. When logging a ticket for Invention Inc, the service desk operator is presented with a template originally meant for Calbro Services.
Using the template above assigns the Invention Inc ticket to a Calbro Services support group even though the Support Group Assignment Configuration is setup to prevent such assignments. In this example, the Invention Inc incident becomes visible to Calbro Services (because it is assigned to a Calbro Services group) which is a serious multi-tenancy and data isolation breach.
Where templates are shared or company wise segregation is not required, "- Global -" company can be used. Once the customer company is selected on the incident, the "Template+" field should automatically only display templates that belong to the company or are global.
Considering, that Remedy ITSM is a multi-tenant system designed for Managed Service Providers (among other users), I will also be logging this as a defect.