AdminCcs can reply even without ReplyToTicket right?

Ole_Craig · February 7, 2008, 11:45pm

(RT 3.6.0)

Do AdminCC users automatically get the ability to correspond with the
Requestor, even when the ReplyToTicket right is de-selected for the
role? If so, why is it selectable at all?

I’m trying to restrict things such that only Owners or members of a
specific privileged group can reply directly to customers; we generally
use the AdminCC role as an escalation mechanism with engineering, and
our developers have asked us to make sure that they can’t accidentally
reply to customers instead of commenting the ticket. I removed
ReplyToTicket rights for everyone except Owners, Ccs, Requestors, and
our user-defined CSE group, but after some testing it looks like non-CSE
staffmembers can still correspond with the Requestor through RT. (I also
checked using Todd’s excellent RightsMatrix tool, and as far as I can
tell nobody has ReplyToTicket who shouldn’t.)

Am I missing something obvious?

/Ole Craig
Security Engineer
Team lead, customer support

ocraig@stillsecure.com
303-381-3802 main support line
303-381-3824 my voicemail
303-381-3880 fax

www.stillsecure.com

Ruslan_Zakirov1 · February 8, 2008, 12:06am

(RT 3.6.0)

Do AdminCC users automatically get the ability to correspond with the
Requestor, even when the ReplyToTicket right is de-selected for the
role? If so, why is it selectable at all?
No, they don’t get unless they have this right via other roles or
directly via group membership. I don’t remember any bug fix that can
be close to the problem you’re describing, but 3.6.0 had been released
on Jun 15 2006. It’s very-very old.

I’m trying to restrict things such that only Owners or members of a
specific privileged group can reply directly to customers; we generally
use the AdminCC role as an escalation mechanism with engineering, and
our developers have asked us to make sure that they can’t accidentally
reply to customers instead of commenting the ticket. I removed
ReplyToTicket rights for everyone except Owners, Ccs, Requestors, and
our user-defined CSE group, but after some testing it looks like non-CSE
staffmembers can still correspond with the Requestor through RT. (I also
checked using Todd’s excellent RightsMatrix tool, and as far as I can
tell nobody has ReplyToTicket who shouldn’t.)

Am I missing something obvious?

Best regards, Ruslan.

Kenn_Crocker · February 8, 2008, 12:06am

Ole Craig,

Not that I know of. Of course, if the person that is the AdminCc is

also the owner or requestor or in a group that has the “Reply…” right
then yes, they can. You have to check on the redundancies for that
person in any group or role with rights to the queue or global rights.

Kenn
LBNLOn 2/7/2008 3:45 PM, Ole Craig wrote:

(RT 3.6.0)

Do AdminCC users automatically get the ability to correspond with the
Requestor, even when the ReplyToTicket right is de-selected for the
role? If so, why is it selectable at all?

I’m trying to restrict things such that only Owners or members of a
specific privileged group can reply directly to customers; we generally
use the AdminCC role as an escalation mechanism with engineering, and
our developers have asked us to make sure that they can’t accidentally
reply to customers instead of commenting the ticket. I removed
ReplyToTicket rights for everyone except Owners, Ccs, Requestors, and
our user-defined CSE group, but after some testing it looks like non-CSE
staffmembers can still correspond with the Requestor through RT. (I also
checked using Todd’s excellent RightsMatrix tool, and as far as I can
tell nobody has ReplyToTicket who shouldn’t.)

Am I missing something obvious?

Ole_Craig · February 8, 2008, 2:09am

(RT 3.6.0)

Do AdminCC users automatically get the ability to correspond with
the
Requestor, even when the ReplyToTicket right is de-selected for the
role? If so, why is it selectable at all?
No, they don’t get unless they have this right via other roles or
directly via group membership. I don’t remember any bug fix that can
be close to the problem you’re describing, but 3.6.0 had been released
on Jun 15 2006. It’s very-very old.

Yup. It’s been in production since then, and I’ve been busy building a
support team and haven’t had time to upgrade. I have a window scheduled
for early March.

Glad to hear that the right does control; obviously I’ve missed an
inheritance somewhere. I’ll go looking, thanks.

/Ole Craig
Security Engineer
Team lead, customer support

ocraig@stillsecure.com
303-381-3802 main support line
303-381-3824 my voicemail
303-381-3880 fax

www.stillsecure.com

Todd_Chapman1 · February 8, 2008, 3:56pm

My RightsMatrix RT extension will tell you exactly how an individual got a
right.

http://search.cpan.org/author/HTCHAPMAN/RTx-RightsMatrix-0.03.00/lib/RTx/RightsMatrix.pmOn 2/7/08, Ole Craig ocraig@stillsecure.com wrote:

On Fri, 2008-02-08 at 03:06 +0300, Ruslan Zakirov wrote:

On Feb 8, 2008 2:45 AM, Ole Craig ocraig@stillsecure.com wrote:

(RT 3.6.0)

Do AdminCC users automatically get the ability to correspond with
the
Requestor, even when the ReplyToTicket right is de-selected for the
role? If so, why is it selectable at all?
No, they don’t get unless they have this right via other roles or
directly via group membership. I don’t remember any bug fix that can
be close to the problem you’re describing, but 3.6.0 had been released
on Jun 15 2006. It’s very-very old.

Yup. It’s been in production since then, and I’ve been busy building a
support team and haven’t had time to upgrade. I have a window scheduled
for early March.

Glad to hear that the right does control; obviously I’ve missed an
inheritance somewhere. I’ll go looking, thanks.

–
/Ole Craig
Security Engineer
Team lead, customer support

ocraig@stillsecure.com
303-381-3802 main support line
303-381-3824 my voicemail
303-381-3880 fax

www.stillsecure.com

The rt-users Archives

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com