If a user is added to the on the MSP side of Barracuda, they have access to all companies the entire MSP has access too.
The most worrying issue here is that this allows users to see all internal emails, including HR or private emails with management. This has not been a major issue for us due to the limited access we have provided our employees to Barracuda MSP, but we need to provide this to newer employees going forward.
It is not reasonable for an MSP solution to suggest creating individual accounts for every helpdesk technician on every company is the solution.
Additionally, creating individual accounts per MSP helpdesk tech per company does not allow for manageable 2fa, and really should not be considered any kind of solution for a security minded company.