falcone at bestpractical
Jul 31, 2012, 9:14 AM
Post #4 of 4
On Mon, Jul 23, 2012 at 03:00:13PM +0530, Rajesh Kumar wrote:
> On Friday 20 July 2012 08:45 PM, Kevin Falcone wrote:
> >On Fri, Jul 20, 2012 at 01:14:53PM +0530, Rajesh Kumar wrote:
> >> Hi All,
> >> I'm new to RT and trying to make it work in following manner -
> >> 1. There should be only one queue called 'Support'. This is because we have too many clients
> >> and is a management call...
> >> 2. Multiple clients using same queue to create tickets.
> >> 3. No client should be able to access another client's tickets. Example - Client A should not
> >> be able to access client B's tickets.
> >> And this is what I've done so far -
> >> 1. Add a custom field 'Client' at user level.
> >> 2. Create a group for each 'Client' and add all users belonging to the client to their
> >> respective group.
> >> 3. OnCreate scrip to add the group as 'Cc' to the ticket and grant 'ShowTicket' to the 'Cc'
> >> role.
> >> This results in -
> >> 1. User belonging to group A cannot see tickets raised by any user of group B on the 'Open
> >> tickets' page. So the segregation works here.
> >> 2. But if a user of group A searches for a ticket (by ticket number) he gets to see all the
> >> ticket details hence defeating restriction we needed in place.
> >You've granted ShowTicket too widely, check your ACL configurations.
> >Especially for Everyone and Unprivileged groups.
> Thanks for your response. I've double checked and there are no
> rights granted to Everyone and Unprivileged groups. The user defined
> groups only have CreateTicket and SeeQueue rights. I'm using version
> 4.0.5. Please let me know if there is something else I'm missing.
If users can see the tickets, then they've picked up ShowTicket from
somewhere. It may be time for you to poke in the ACL table and see
where ShowTicket has been handed out.