Control

Jesse wrote:

  1. As I mentioned, Several departments use RT, and at the moment I have
    several seperate instances of RT installed. I’d much prefer to maintain
    one single database, and still be able to delegate user account control to
    the appropriate supervisors in the departments concerned, without them
    being able to mess with the other queue’s settings. Is this even remotely
    possible?

The access control system is pretty flexible, but I’d need to know waht you mean by ‘user account control’ before I could give you a reasonable answer.

Quick example:

I set up two queues, “A” and “B”. There are 2xN users, A1, A2… AN (and B
1…N).

There are also two managers, M-A and M-B.

Managers A and B are from completely seperate departments. Each of them
manage 20-40 staff, some of which are full time, with a considerable
turnover of casuals.

What I’d like for Manager A to be able to create users, but restrict
Manager A and their spawn to queue A, and preferably have them unaware of
queue B’s existence. Is it possible to grant ‘Create User’ access to an
account, but have it’s access restricted to a subset of the creator’s
priveliges.

I hope that’s clear. Ideas?

btw, thanks for the keywords explanation - I’ll have a play with my shiny
new test install.

T�o de Hesselle, | Diplomacy is about surviving until
Unix Systems Administrator | the next century. Politics is
| about surviving until Friday
University of Technology, Sydney | afternoon. – Yes, Minister

Well, you can grant createuser to both managers and then only grant
"AdminACL" to each manager for his respective queue. that should do
about what you want.

    -jOn Tue, Jul 03, 2001 at 10:22:38AM +1000, Teo de Hesselle wrote:

Jesse wrote:

  1. As I mentioned, Several departments use RT, and at the moment I have
    several seperate instances of RT installed. I’d much prefer to maintain
    one single database, and still be able to delegate user account control to
    the appropriate supervisors in the departments concerned, without them
    being able to mess with the other queue’s settings. Is this even remotely
    possible?

The access control system is pretty flexible, but I’d need to know waht you mean by ‘user account control’ before I could give you a reasonable answer.

Quick example:

I set up two queues, “A” and “B”. There are 2xN users, A1, A2… AN (and B
1…N).

There are also two managers, M-A and M-B.

Managers A and B are from completely seperate departments. Each of them
manage 20-40 staff, some of which are full time, with a considerable
turnover of casuals.

What I’d like for Manager A to be able to create users, but restrict
Manager A and their spawn to queue A, and preferably have them unaware of
queue B’s existence. Is it possible to grant ‘Create User’ access to an
account, but have it’s access restricted to a subset of the creator’s
priveliges.

I hope that’s clear. Ideas?

btw, thanks for the keywords explanation - I’ll have a play with my shiny
new test install.


Téo de Hesselle, | Diplomacy is about surviving until
Unix Systems Administrator | the next century. Politics is
| about surviving until Friday
University of Technology, Sydney | afternoon. – Yes, Minister

jesse reed vincent – root@eruditorum.orgjesse@fsck.com
70EBAC90: 2A07 FC22 7DB4 42C1 9D71 0108 41A3 3FB3 70EB AC90

And I’m told we do share some common rituals. Our “flame war” is apparently
held in person in their land and called “project meeting”.
-Alan Cox [on “Suits”]

Jesse wrote:

Well, you can grant createuser to both managers and then only grant
"AdminACL" to each manager for his respective queue. that should do
about what you want.

Yipee!

Sincerely, Thank you.

T�o de Hesselle, | Diplomacy is about surviving until
Unix Systems Administrator | the next century. Politics is
| about surviving until Friday
University of Technology, Sydney | afternoon. – Yes, Minister

Jesse wrote:

Well, you can grant createuser to both managers and then only grant
"AdminACL" to each manager for his respective queue. that should do
about what you want.

Yes, this should work well. Since there’s only ‘AdminUsers’, I’ve just
handed over control of the entire RT database by doing this - there is now
nothing stopping manager-A from hijacking manager-B or root’s account by
simply changing the password.

Fortunately the managers are neither brave nor 31337 enough to try it.

Perhaps a future version would at least stop them from manipulating any
"Super-User" accounts? Or even allow account manipulation in the same
group only?

T�o de Hesselle, | Diplomacy is about surviving until
Unix Systems Administrator | the next century. Politics is
| about surviving until Friday
University of Technology, Sydney | afternoon. – Yes, Minister

That gets into rather more intense user managment scenarios than I really
want to deal with get into dealing with. I’m not really sure how to
deal with granting a user the ability to munge any aspect of a set of users’
accounts with zero access to another set of users without a MAJOR redesign
of the ACL system. :confused:

    -jOn Tue, Jul 03, 2001 at 03:48:54PM +1000, Teo de Hesselle wrote:

Jesse wrote:

Well, you can grant createuser to both managers and then only grant
"AdminACL" to each manager for his respective queue. that should do
about what you want.

Yes, this should work well. Since there’s only ‘AdminUsers’, I’ve just
handed over control of the entire RT database by doing this - there is now
nothing stopping manager-A from hijacking manager-B or root’s account by
simply changing the password.

Fortunately the managers are neither brave nor 31337 enough to try it.

Perhaps a future version would at least stop them from manipulating any
"Super-User" accounts? Or even allow account manipulation in the same
group only?


Téo de Hesselle, | Diplomacy is about surviving until
Unix Systems Administrator | the next century. Politics is
| about surviving until Friday
University of Technology, Sydney | afternoon. – Yes, Minister

jesse reed vincent – root@eruditorum.orgjesse@fsck.com
70EBAC90: 2A07 FC22 7DB4 42C1 9D71 0108 41A3 3FB3 70EB AC90

…realized that the entire structure of the net could be changed to be made
more efficient, elegant, and spontaneously make more money for everyone
involved. It’s a marvelously simple diagram, but this form doesn’t have a way
for me to draw it. It’ll wait. -Adam Hirsch