ExecuteCode by Queue AdminCc groups on RT::System

RT Users
1

Hello,

My production system contains a few ACL’s that do not dump correctly
using rt-dump-metadata. They end up multiple times in our dump as:

  {
     "Right" : "ExecuteCode",
     "GroupDomain" : "RT::System-Role",
     "GroupType" : "AdminCc"
  },

(In JSON for readability)

These are in reality applied to the AdminCC group principal of queues.

What is the bug here?

Is it that I should be able to see such a right in the Global rights
page, or should the right not have been granted since the upgrade step
(3.9.1 iirc)?
(It is a bit of a weird delegation of rights, but a few of our AdminCc
groups have indeed the right to edit templates).

Thanks,
Kai

signature.asc (906 Bytes)

2

My production system contains a few ACL’s that do not dump correctly
using rt-dump-metadata. They end up multiple times in our dump as:

  {
     "Right" : "ExecuteCode",
     "GroupDomain" : "RT::System-Role",
     "GroupType" : "AdminCc"
  },

(In JSON for readability)

These are in reality applied to the AdminCC group principal of queues.

What is the bug here?

Is it that I should be able to see such a right in the Global rights
page, or should the right not have been granted since the upgrade step
(3.9.1 iirc)?
(It is a bit of a weird delegation of rights, but a few of our AdminCc
groups have indeed the right to edit templates).

Looking briefly in the ACL dumping code, it says this:

elsif ( /^RT::Group$/ ) {
    # No support for RT::Group ACLs in RT::Handle yet.
    next OBJECT;
}

which implies to me that it has no idea how to handle your rights.

-kevin