CommandByMail security

To list,

We’re discovering that even though we have set rights in a Queue for
"CreateTicket" for only 1 person, it seems like anyone can create a ticket
when we have CommandByMail turned on. I have checked the global rights and
the queue rights and I had someone without that right create a ticket.

Is that way it is supposed to work?