Article Permissions Issue

Hey everyone. I’m a newcomer to the world of RT admin and am running in to an issue trying to set up permissions for access to articles. (Version 4.4.1 with IR)

I have created a privileged user and in the global permissions tab have only given the user rights to “Show Articles Menu” and “See Articles in this Class”. Everything else has been left unchecked. The problem is that just having access to the menu seems to allow the user full access to create, modify, and delete articles. The user is a member of a custom user group where only view options have been selected in the permissions, but none are related to Articles. No global group permissions have been set at this time. Has anyone else run in to something like this?

I have also run in to a new issue where any account I add to RT has the ability to see any queue I have created. So far I have added all of my users to 1 group and given that group view/working rights over all of the various queues. When I add a new test user under a new group with no view permissions, they can still see, create, and manipulate tickets in any queue. Are the permissions just bugged in 4.4.1 or something? This system isn’t going to be very useful if anyone can basically do anything…

You probably have given the group EVERYONE such permissions. Or maybe the group PRIVILEGED has it. When you create an account, it is automatically added to such groups. Double check what groups the account has after creation. Then check each such group for the privilege you are trying to remove.

/jeff

As a test I created a new user again. I verified that upon creation the user is not assigned to any groups. The user does not show up in the global user permissions screen and there are no options for everyone or privileged in that tab. I also verified that in the global group permissions tab there are currently no groups configured. I global groups the only permissions I have assigned are “create tickets” and “comment on tickets” for the everyone group. Without these settings the incident reports don’t get generated when RT receives an email. I also do not have any custom roles configured either. For each of the queues I have created, I remove all permissions for every built in group or role and only assigned perms to a custom group I manually added.

With this set up, the new user was not only able to see every queue I have created but could create, modify, reject, etc… I also noticed that even though the new user doesn’t have perms to articles or assets, and the menu items are hidden from view, they still have full access and rights to these features if they access them directly with the URL.