Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Request Tracker: Users

Ticket level permissions

 

 

Request Tracker users RSS feed   Index | Next | Previous | View Threaded


dteklavya at gmail

Jul 20, 2012, 12:44 AM

Post #1 of 4 (559 views)
Permalink
Ticket level permissions

Hi All,

I'm new to RT and trying to make it work in following manner -

1. There should be only one queue called 'Support'. This is because we
have too many clients and is a management call...

2. Multiple clients using same queue to create tickets.

3. No client should be able to access another client's tickets. Example
- Client A should not be able to access client B's tickets.

And this is what I've done so far -

1. Add a custom field 'Client' at user level.

2. Create a group for each 'Client' and add all users belonging to the
client to their respective group.

3. OnCreate scrip to add the group as 'Cc' to the ticket and grant
'ShowTicket' to the 'Cc' role.

This results in -

1. User belonging to group A cannot see tickets raised by any user of
group B on the 'Open tickets' page. So the segregation works here.

2. But if a user of group A searches for a ticket (by ticket number) he
gets to see all the ticket details hence defeating restriction we needed
in place.

Please take a look at the OnCreate script on pastebin
<http://pastebin.com/4G7mFDP8> and help me understand what is wrong with
this approach.


Thanks for help!

Regards,
Rajesh


falcone at bestpractical

Jul 20, 2012, 8:15 AM

Post #2 of 4 (517 views)
Permalink
Re: Ticket level permissions [In reply to]

On Fri, Jul 20, 2012 at 01:14:53PM +0530, Rajesh Kumar wrote:
> Hi All,
>
> I'm new to RT and trying to make it work in following manner -
>
> 1. There should be only one queue called 'Support'. This is because we have too many clients
> and is a management call...
>
> 2. Multiple clients using same queue to create tickets.
>
> 3. No client should be able to access another client's tickets. Example - Client A should not
> be able to access client B's tickets.
>
> And this is what I've done so far -
>
> 1. Add a custom field 'Client' at user level.
>
> 2. Create a group for each 'Client' and add all users belonging to the client to their
> respective group.
>
> 3. OnCreate scrip to add the group as 'Cc' to the ticket and grant 'ShowTicket' to the 'Cc'
> role.
>
> This results in -
>
> 1. User belonging to group A cannot see tickets raised by any user of group B on the 'Open
> tickets' page. So the segregation works here.
>
> 2. But if a user of group A searches for a ticket (by ticket number) he gets to see all the
> ticket details hence defeating restriction we needed in place.

You've granted ShowTicket too widely, check your ACL configurations.
Especially for Everyone and Unprivileged groups.

-kevin

> Please take a look at the OnCreate script on [1]pastebin and help me understand what is wrong
> with this approach.


dteklavya at gmail

Jul 23, 2012, 2:30 AM

Post #3 of 4 (495 views)
Permalink
Re: Ticket level permissions [In reply to]

On Friday 20 July 2012 08:45 PM, Kevin Falcone wrote:
> On Fri, Jul 20, 2012 at 01:14:53PM +0530, Rajesh Kumar wrote:
>> Hi All,
>>
>> I'm new to RT and trying to make it work in following manner -
>>
>> 1. There should be only one queue called 'Support'. This is because we have too many clients
>> and is a management call...
>>
>> 2. Multiple clients using same queue to create tickets.
>>
>> 3. No client should be able to access another client's tickets. Example - Client A should not
>> be able to access client B's tickets.
>>
>> And this is what I've done so far -
>>
>> 1. Add a custom field 'Client' at user level.
>>
>> 2. Create a group for each 'Client' and add all users belonging to the client to their
>> respective group.
>>
>> 3. OnCreate scrip to add the group as 'Cc' to the ticket and grant 'ShowTicket' to the 'Cc'
>> role.
>>
>> This results in -
>>
>> 1. User belonging to group A cannot see tickets raised by any user of group B on the 'Open
>> tickets' page. So the segregation works here.
>>
>> 2. But if a user of group A searches for a ticket (by ticket number) he gets to see all the
>> ticket details hence defeating restriction we needed in place.
> You've granted ShowTicket too widely, check your ACL configurations.
> Especially for Everyone and Unprivileged groups.
>
> -kevin
>

Thanks for your response. I've double checked and there are no rights
granted to Everyone and Unprivileged groups. The user defined groups
only have CreateTicket and SeeQueue rights. I'm using version 4.0.5.
Please let me know if there is something else I'm missing. Thanks.

Regards,
Rajesh


falcone at bestpractical

Jul 31, 2012, 9:14 AM

Post #4 of 4 (456 views)
Permalink
Re: Ticket level permissions [In reply to]

On Mon, Jul 23, 2012 at 03:00:13PM +0530, Rajesh Kumar wrote:
> On Friday 20 July 2012 08:45 PM, Kevin Falcone wrote:
> >On Fri, Jul 20, 2012 at 01:14:53PM +0530, Rajesh Kumar wrote:
> >> Hi All,
> >>
> >> I'm new to RT and trying to make it work in following manner -
> >>
> >> 1. There should be only one queue called 'Support'. This is because we have too many clients
> >> and is a management call...
> >>
> >> 2. Multiple clients using same queue to create tickets.
> >>
> >> 3. No client should be able to access another client's tickets. Example - Client A should not
> >> be able to access client B's tickets.
> >>
> >> And this is what I've done so far -
> >>
> >> 1. Add a custom field 'Client' at user level.
> >>
> >> 2. Create a group for each 'Client' and add all users belonging to the client to their
> >> respective group.
> >>
> >> 3. OnCreate scrip to add the group as 'Cc' to the ticket and grant 'ShowTicket' to the 'Cc'
> >> role.
> >>
> >> This results in -
> >>
> >> 1. User belonging to group A cannot see tickets raised by any user of group B on the 'Open
> >> tickets' page. So the segregation works here.
> >>
> >> 2. But if a user of group A searches for a ticket (by ticket number) he gets to see all the
> >> ticket details hence defeating restriction we needed in place.
> >You've granted ShowTicket too widely, check your ACL configurations.
> >Especially for Everyone and Unprivileged groups.
>
> Thanks for your response. I've double checked and there are no
> rights granted to Everyone and Unprivileged groups. The user defined
> groups only have CreateTicket and SeeQueue rights. I'm using version
> 4.0.5. Please let me know if there is something else I'm missing.


If users can see the tickets, then they've picked up ShowTicket from
somewhere. It may be time for you to poke in the ACL table and see
where ShowTicket has been handed out.

-kevin

Request Tracker users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.