Adding AdminCC on ticket creation fails without ModifyTicket right

I currently have permissions set on tickets such that only the ticket
owner has the ModifyTicket right. If I create a ticket, and on the
ticket creation screen set someone as AdminCC, and submit the ticket,
the ticket is successfully created but I get a permission denied error
on adding the AdminCC. I’m not sure if this is a bug or a feature…I
would think that a privileged user creating a ticket should be able to
set an AdminCC (for a manager or someone else who wishes to follow the
ticket details), but the order in which RT creates the ticket prevents
that from working (ticket created, then a separate transaction to add
the AdminCC). This problem does not exist when adding a normal CC on
ticket creation.
If I create the ticket with myself as the owner, it does allow me to set
AdminCC, but in our setup a privileged user (as a member of one
particular group) does not have ownership permissions in all the queues,
but we do have create ticket permissions in other queues.

Any ideas if there’s a way around this?

Nick,

Have you tried setting the AdminCc when creating the ticket? You can do
that with the WebUI. If these tickets are being created via Email, then
downloading/installing the “CommandByMail” extension/plugin will allow
you to do this.

As to changing/setting the AdminCc once the ticket is created, that’s
strictly a “ModifyTicket” right. There are a couple things you can do to
a ticket /without/ that right, which are Make/Show Comments and
Reply/See Email & correspondence.

Another thing you can do is if you know who will be a regular AdminCc on
a Queue by queue basis, set the Queue AdminCc Watcher to that person and
then set the Queue Group Right for the AdminCc /role/ to allow
"ModifyTicket".

Hope this helps.

Kenn
LBNLOn 12/3/2009 11:58 AM, Nick Kartsioukas wrote:

I currently have permissions set on tickets such that only the ticket
owner has the ModifyTicket right. If I create a ticket, and on the
ticket creation screen set someone as AdminCC, and submit the ticket,
the ticket is successfully created but I get a permission denied error
on adding the AdminCC. I’m not sure if this is a bug or a feature…I
would think that a privileged user creating a ticket should be able to
set an AdminCC (for a manager or someone else who wishes to follow the
ticket details), but the order in which RT creates the ticket prevents
that from working (ticket created, then a separate transaction to add
the AdminCC). This problem does not exist when adding a normal CC on
ticket creation.
If I create the ticket with myself as the owner, it does allow me to set
AdminCC, but in our setup a privileged user (as a member of one
particular group) does not have ownership permissions in all the queues,
but we do have create ticket permissions in other queues.

Any ideas if there’s a way around this?


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

said:

Have you tried setting the AdminCc when creating the ticket? You can do
that with the WebUI. If these tickets are being created via Email, then
downloading/installing the “CommandByMail” extension/plugin will allow
you to do this.

Yep, I am setting the AdminCC on the ticket creation page via the web
interface. It appears that RT treats setting the AdminCC as a separate
transaction from the ticket creation, so it creates the ticket, then
attempts to apply the AdminCC value, and that’s where it fails (as after
the ticket is created, I don’t have the ModifyTicket right).

Privileged user with: CreateTicket, CommentOnTicket, SeeQueue,
ShowOutgoingEmail, ShowTicket, ShowTicketComments on the queue in
question.

I wish “ModifyTicket” was split up, it encompasses quite a lot of
operations…

Nick,

I suppose you could make yourself the owner when you create it, then
after it is created, give it to someone else. But that is the long way
around. You could also write a scrip to do it with RT authority, but
that is a little like doing it twice when it shouldn’t be necessary.

Are you sure you don’t have a set list of AdminCc’s for each queue? That
way you just grant the right “ModifyTicket” to the role “AdminCc” at the
queue level.

Kenn
LBNLOn 12/3/2009 1:27 PM, Nick Kartsioukas wrote:

On Thu, 03 Dec 2009 12:52:06 -0800, “Ken Crocker” kfcrocker@lbl.gov
said:

Have you tried setting the AdminCc when creating the ticket? You can do
that with the WebUI. If these tickets are being created via Email, then
downloading/installing the “CommandByMail” extension/plugin will allow
you to do this.

Yep, I am setting the AdminCC on the ticket creation page via the web
interface. It appears that RT treats setting the AdminCC as a separate
transaction from the ticket creation, so it creates the ticket, then
attempts to apply the AdminCC value, and that’s where it fails (as after
the ticket is created, I don’t have the ModifyTicket right).

Privileged user with: CreateTicket, CommentOnTicket, SeeQueue,
ShowOutgoingEmail, ShowTicket, ShowTicketComments on the queue in
question.

I wish “ModifyTicket” was split up, it encompasses quite a lot of
operations…


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

said:

I suppose you could make yourself the owner when you create it, then
after it is created, give it to someone else. But that is the long way
around. You could also write a scrip to do it with RT authority, but
that is a little like doing it twice when it shouldn’t be necessary.

Yep, but since I don’t have ownership rights in all queues, I would have
to create it in a queue in which I could own it, set myself as the owner
when I create it, then move the ticket to the other queue…quite a
round-about way to do it.

Are you sure you don’t have a set list of AdminCc’s for each queue? That
way you just grant the right “ModifyTicket” to the role “AdminCc” at the
queue level.

Nope, we don’t have any AdminCCs set at the queue level. Sometimes
staff here have an interest in a case and want to follow the comments on
it, so the ticket creator would add them when creating the ticket. We
only want ModifyTicket to be granted to the owner, so someone else
doesn’t accidentally close or move a ticket that’s not theirs (have to
steal it, then perform the action…a two-step process that should
prevent such errors, especially if someone starts clicking things they
don’t understand on the Bulk Update screen).

Nick,

I was just thinking that we are looking at the wrong cause. I have MANY
users that are allowed to create tickets in a queue and NOT allowed to
modify those tickets, yet, they are able to create a ticket with an
AdminCc with no problems. I’m wondering if, perhaps, we should look at
what rights have been granted to those users that are being listed as
the ticket’s AdminCc. Are they in a group we can look at? if not, we
have to look at each user.

Kenn
LBNLOn 12/3/2009 2:20 PM, Nick Kartsioukas wrote:

On Thu, 03 Dec 2009 14:10:32 -0800, “Ken Crocker” kfcrocker@lbl.gov
said:

I suppose you could make yourself the owner when you create it, then
after it is created, give it to someone else. But that is the long way
around. You could also write a scrip to do it with RT authority, but
that is a little like doing it twice when it shouldn’t be necessary.

Yep, but since I don’t have ownership rights in all queues, I would have
to create it in a queue in which I could own it, set myself as the owner
when I create it, then move the ticket to the other queue…quite a
round-about way to do it.

Are you sure you don’t have a set list of AdminCc’s for each queue? That
way you just grant the right “ModifyTicket” to the role “AdminCc” at the
queue level.

Nope, we don’t have any AdminCCs set at the queue level. Sometimes
staff here have an interest in a case and want to follow the comments on
it, so the ticket creator would add them when creating the ticket. We
only want ModifyTicket to be granted to the owner, so someone else
doesn’t accidentally close or move a ticket that’s not theirs (have to
steal it, then perform the action…a two-step process that should
prevent such errors, especially if someone starts clicking things they
don’t understand on the Bulk Update screen).

said:

I was just thinking that we are looking at the wrong cause. I have MANY
users that are allowed to create tickets in a queue and NOT allowed to
modify those tickets, yet, they are able to create a ticket with an
AdminCc with no problems. I’m wondering if, perhaps, we should look at
what rights have been granted to those users that are being listed as
the ticket’s AdminCc. Are they in a group we can look at? if not, we
have to look at each user.

All Privileged users have Watch and WatchAsAdminCC in the queue I’m
creating the ticket in, and the user I was attempting to set as AdminCC
is Privileged. Hmm.

Let me give the details of the permissions here…

I’m a Privileged user, in the Net Support group. I’m attempting to
create the ticket in the PC Support queue. User I’m attempting to set
as AdminCC is also in Net Support.

Privileged users have these permissions in the PC Support queue:
CreateTicket CommentOnTicket SeeQueue ShowOutgoingEmail ShowTicket
ShowTicketComments Watch WatchAsAdminCC

PC Support group members have these additional rights in the PC Support
queue:
AssignCustomFields OwnTicket StealTicket TakeTicket

Owner role also has the right ModifyTicket

Nick,

Is the person you are trying to set as AdminCc also in the PC Support group?
What rights are set for Privileged users in the Net Support group?

KennOn 12/3/2009 3:51 PM, Nick Kartsioukas wrote:

On Thu, 03 Dec 2009 15:37:18 -0800, “Ken Crocker” kfcrocker@lbl.gov
said:

I was just thinking that we are looking at the wrong cause. I have MANY
users that are allowed to create tickets in a queue and NOT allowed to
modify those tickets, yet, they are able to create a ticket with an
AdminCc with no problems. I’m wondering if, perhaps, we should look at
what rights have been granted to those users that are being listed as
the ticket’s AdminCc. Are they in a group we can look at? if not, we
have to look at each user.

All Privileged users have Watch and WatchAsAdminCC in the queue I’m
creating the ticket in, and the user I was attempting to set as AdminCC
is Privileged. Hmm.

Let me give the details of the permissions here…

I’m a Privileged user, in the Net Support group. I’m attempting to
create the ticket in the PC Support queue. User I’m attempting to set
as AdminCC is also in Net Support.

Privileged users have these permissions in the PC Support queue:
CreateTicket CommentOnTicket SeeQueue ShowOutgoingEmail ShowTicket
ShowTicketComments Watch WatchAsAdminCC

PC Support group members have these additional rights in the PC Support
queue:
AssignCustomFields OwnTicket StealTicket TakeTicket

Owner role also has the right ModifyTicket


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

said:

Is the person you are trying to set as AdminCc also in the PC Support
group?

No, they are a member of the Net Support group, but they do have Watch
and WatchAsAdminCC in the PC Support queue.

What rights are set for Privileged users in the Net Support group?

I’m not sure I understand…anyone I’ve told RT “Let this user be
granted rights to” is a Privileged user, correct? So telling RT to give
Watch and WatchAsAdminCC to Privileged users should apply to all who
have that box checked, regardless of the group they’re a member of.

Nick,

Suffer me this and try putting the person you want as AdminCc in the PC
Support group OR allow the Net Support group to have the same rights as
the PC Support group for that queue. Then try setting the AdminCc. My
reasoning is that if the role AdminCc has rights to a queue and you are
assigning the role AdminCc to a person that does not have the particular
rights as AdminCc in that queue, it will not accept the assignment. Just
try it and let me know.

Kenn
LBNLOn 12/3/2009 4:13 PM, Nick Kartsioukas wrote:

On Thu, 03 Dec 2009 15:58:47 -0800, “Ken Crocker” kfcrocker@lbl.gov
said:

Is the person you are trying to set as AdminCc also in the PC Support
group?

No, they are a member of the Net Support group, but they do have Watch
and WatchAsAdminCC in the PC Support queue.

What rights are set for Privileged users in the Net Support group?

I’m not sure I understand…anyone I’ve told RT “Let this user be
granted rights to” is a Privileged user, correct? So telling RT to give
Watch and WatchAsAdminCC to Privileged users should apply to all who
have that box checked, regardless of the group they’re a member of.


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Nick,

Also, try granting “ReplytoTicket” for all privileged either Globally or
in that queue.

Kenn
LBNLOn 12/3/2009 4:13 PM, Nick Kartsioukas wrote:

On Thu, 03 Dec 2009 15:58:47 -0800, “Ken Crocker” kfcrocker@lbl.gov
said:

Is the person you are trying to set as AdminCc also in the PC Support
group?

No, they are a member of the Net Support group, but they do have Watch
and WatchAsAdminCC in the PC Support queue.

What rights are set for Privileged users in the Net Support group?

I’m not sure I understand…anyone I’ve told RT “Let this user be
granted rights to” is a Privileged user, correct? So telling RT to give
Watch and WatchAsAdminCC to Privileged users should apply to all who
have that box checked, regardless of the group they’re a member of.


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

said:

Suffer me this and try putting the person you want as AdminCc in the PC
Support group OR allow the Net Support group to have the same rights as
the PC Support group for that queue. Then try setting the AdminCc. My
reasoning is that if the role AdminCc has rights to a queue and you are
assigning the role AdminCc to a person that does not have the particular
rights as AdminCc in that queue, it will not accept the assignment. Just
try it and let me know.

Added WatchAsAdminCC and ReplyToTicket explicitly for the user I’m
trying to set as the AdminCC in the PC queue, and it still won’t let me.

  • Ticket 540 created in queue ‘PC’
  • Couldn’t set AdminCc watcher: Permission Denied

(normally ReplyToTicket is granted only to the ticket owner)

I currently have permissions set on tickets such that only the ticket
owner has the ModifyTicket right. If I create a ticket, and on the
ticket creation screen set someone as AdminCC, and submit the ticket,
the ticket is successfully created but I get a permission denied error
on adding the AdminCC. I’m not sure if this is a bug or a feature…I
would think that a privileged user creating a ticket should be able to
set an AdminCC (for a manager or someone else who wishes to follow the
ticket details), but the order in which RT creates the ticket prevents
that from working (ticket created, then a separate transaction to add
the AdminCC). This problem does not exist when adding a normal CC on
ticket creation.
If I create the ticket with myself as the owner, it does allow me to set
AdminCC, but in our setup a privileged user (as a member of one
particular group) does not have ownership permissions in all the queues,
but we do have create ticket permissions in other queues.

Any ideas if there’s a way around this?

The code is rather explicit about this.
If you’re creating a ticket and try to add an AdminCc it either wants
your user to have ModifyTicket or for you to be adding yourself and
for you to have WatchAsAdminCc.

If you care to look in the code, see Ticket_Overlay.pm’s Create
method, the loop at 534 and then the contents of the AddWatcher
method.

-kevin

Kevin,

Yea. You’re right. I’ve never had to deal with this because we really do
not use AdminCc at the ticket level. We set up all our AdminCc’s at the
Queue watcher level and that way a simple scrip will take care of
notifications and we can handle all the privileges with the role at
queue level. In fact, I modified our ticket create screen to /remove/
the AdminCc box. We just don’t want to deal with it that way. Oh well.
Sorry Nick, that I couldn’t help you.

Kenn
LBNLOn 12/4/2009 9:29 AM, Kevin Falcone wrote:

On Thu, Dec 03, 2009 at 11:58:18AM -0800, Nick Kartsioukas wrote:

I currently have permissions set on tickets such that only the ticket
owner has the ModifyTicket right. If I create a ticket, and on the
ticket creation screen set someone as AdminCC, and submit the ticket,
the ticket is successfully created but I get a permission denied error
on adding the AdminCC. I’m not sure if this is a bug or a feature…I
would think that a privileged user creating a ticket should be able to
set an AdminCC (for a manager or someone else who wishes to follow the
ticket details), but the order in which RT creates the ticket prevents
that from working (ticket created, then a separate transaction to add
the AdminCC). This problem does not exist when adding a normal CC on
ticket creation.
If I create the ticket with myself as the owner, it does allow me to set
AdminCC, but in our setup a privileged user (as a member of one
particular group) does not have ownership permissions in all the queues,
but we do have create ticket permissions in other queues.

Any ideas if there’s a way around this?

The code is rather explicit about this.
If you’re creating a ticket and try to add an AdminCc it either wants
your user to have ModifyTicket or for you to be adding yourself and
for you to have WatchAsAdminCc.

If you care to look in the code, see Ticket_Overlay.pm’s Create
method, the loop at 534 and then the contents of the AddWatcher
method.

-kevin



http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com