Those aren’t the only options. It would be trivial change to allow any dealer to request access to any vehicle and have it tied to the active employees SSO or something similar that at least leave an audit trail and prevents such random access. Allowing anyone to be a dealer is the real oversight. They could put some checks in place also to prevent the stalker situation GP mentioned. It’s always going to be possible but reduces risk a lot if employee just has to ask someone else to approve their access request, even if it’s just a rubber stamp process making sure the vehicle is actually in need of some service