3.4.1 Custom Field Permissions

We’ve just upgraded from 3.1.14 to 3.4.1, and although the custom fields
migrated correctly, our customers have lost the ability to create new
custom fields and attach them to their queues - there are no menu options
anywhere to allow them to create new custom fields, presumably due to
missing permissions. So I’m trying to dig and find out what permissions are
required.

I’m wondering…

  • should I expect to see a ‘new custom field’ tab to show up under the
    queue config?

  • is it correct that anyone who needs to create a new custom field must
    have the global “AdminCustomField” permission? It seems a bit broad, but
    that’s the only thing I can do to make a ‘new custom field’ tab show up.

  • If I do give them global AdminCustomField, the users can then create a CF
    and associate it with their queue. But how can they prevent someone from
    another group (who also has global AdminCustomField) from messing with this CF?

Adding to my confusion is a page /Admin/Queues/CustomField.html that I
can’t see referred from any menu - it looks like it is for creating a new
custom field for a queue but I can’t figure out how to access it through
the UI.

Thanks,
Steve

Related to my original question - it appears that for a user to grant
permissions on a custom field object to a group, they need "ModifyACL"
permission on the CF object. But I don’t see ModifyACL in the custom
field’s group rights screen.

code in ACE_Overlay.pm:
unless ( $self->CurrentUser->HasRight( Object => $args{‘Object’},
Right => ‘ModifyACL’ )) {
return ( 0, $self->loc(‘Permission Denied’) );

But - the valid rights on a custom object seem not to include ModifyACL -
from CustomField_Overlay.pm:

$RIGHTS = {
SeeCustomField => ‘See custom fields’, # loc_pair
AdminCustomField => ‘Create, delete and modify custom
fields’, # loc_pair
ModifyCustomField => ‘Add, delete and modify custom field
values for objects’ #loc_pair

};

So, can only users with global ModifyACL rights controll the group access
to custom fields?

Steve

Related to my original question - it appears that for a user to grant
permissions on a custom field object to a group, they need "ModifyACL"
permission on the CF object. But I don’t see ModifyACL in the custom
field’s group rights screen.

That sure looks like a bug. Fire off a ticket to rt-bugs and we’ll
address it for 3.4.3? (3.4.2 is already frozen for release tomorrow)