We don’t like to give out permissions very generously and since we have so
many Queues, we let the Managers of a Queue decide what access they want
others to have. Consequently, we give a few basic rights out Globally, but
save the heavy stuff on a Queue by Queue basis. This is what we grant *
System/Privileged: AdminOwnPersonalGroups, CreateOwnDashboard,
CreateSavedSearch, DeleteOwnDashboard, EditSavedSearch, ForwardMessage,
LoadSavedSearch, ModifyOwnDashboard, ModifySelf, SeeDashboard,
SeeOwnDashboard, ShowSavedSearches, SubscribeDashboard - we feel these
rights to be basic to all of our privileged users. They should be able to
see any system dashboards, certainly their own and also any Searches. Since
the ability to save a Search for a group is based on that groups membership,
that part basically takes care of itself.
Roles/Owner: ModifyTicket - we don’t let anyone but an owner modify Ticket
metadata. CF’s and Comments and email are a Queue by Queue thing.
Roles/AdminCc: AdminGroupMembersdhip, AdminUsers, AssignCustomField,
ModifyOwnMembership, SeeCustomField, SeeGroup, ShowConfigTab, ShowScrips,
ShowTemplate, WatchAsAdminCc - We use the AdminCc role as the Queue
Manager, therefor we give them certain rights we don’t give to others.
Roles/Cc: ReplyToTicket, SeeQueue, ShowTicket, Watch - If you are
designated as a Queue watcher, then you should at least have these rights,
since they all interest you. We let the Queue manager grant other rights at
the Queue level.
Roles/Requestor: ReplyToTicket, SeeQueue, ShowTicket, Watch - If you made
the request, you should at least have these rights. We let the Queue manager
grant other rights at the Queue level.
Basic Rights granted at the Queue level:
System/Privileged: CreateTickets - for some Queues. These are usually
Queues that support all the other Queues and therefore could get tickets
from almost any group. For Queues with specific users, this right is granted
only to those groups.
Roles/Owner: nada - Already has the ModifyTicket right because of Global
rights. Since the owner is already a member of some support group, all the
other rights they get from being a member of that group.
Roles/AdminCc:* DeleteTicket, ModifyACL, ModifyQueueWatchers, ModifyTicket,
ShowACL, StealTicket. Since this person IS the boss for this Queue, this
person has control over who gets what tickets, who can see the Queue and
certain rights, etc.
Roles/Cc: CommentOnTicket, ShowOutgoingEmail, ShowTicketComments - in
case, the Queue Manager is allowing Cc Watchers to see and make comments and
see any email.
Roles/Requestor: nada - this person has all the rights their gonna get
Globally. For us, we see Requestors as Customers so we don’t want them to
have much control. Seeing their ticket and correspondence is about it.
User-Defined Groups:* usually there are at least two groups for each Queue,
sometimes a couple more if they have some interest;
The User group, which basically makes a request for work. So they get to
see the Queue and create tickets, etc. Maybe (like for QA work) modify a
The SupportGroup; These are the support team that have these rights;
CommentOnTIcket, CreateTicket, OwnTicket, ReplyToTicket, SeeQueue,
ShowOutgoingEmail, ShowTicket, ShowTicketComments, TakeTicket, and Watch.
Sometimes a Queue manager will let the StealTickets as well.
Also, we set up our RT_SiteConfig.pm file to turn off StrictACL, which gives
Ticket Owners and AdminCcs (the only ones who can ModifyTicket) the right to
set up links to tickets in other Queues.
Anyway, that the way we do it. I’m sure your situation is different. Hope
LBNLOn Fri, Apr 23, 2010 at 9:14 AM, Chris Hall email@example.com wrote:
thanks for the speedy reply.
That’s actually how I have it set now, and it works, but like I said, at
the top it gives a faulty “permission denied”.
This is set on the Corp. Support queue for permissions for the "Helpdesk"
queue, and the error above occurs when someone in the helpdesk group moves a
ticket to the Corp. Support queue. Is there something somewhere else I need
to set? when root moves a ticket, no permission denied errors are
On Fri, Apr 23, 2010 at 12:10 PM, Jerrad Pierce < firstname.lastname@example.org> wrote:
On Fri, Apr 23, 2010 at 12:06, Chris Hall email@example.com wrote:
I’m very new to RT, and after shifting around permissions on groups and
queues for a few hours, I’m ready to ask for some help… btw,
seems very widespread and unfocused, unless I’m looking in the wrong
Read the book. It’s the best place to get a grasp of the fundamentals.
The wiki, POD and list archives tend to be for more esoteric issues
Basically, let’s say I have 2 groups w/ a queue each… Helpdesk with a
"Helpdesk queue" and Corp. Support with a “Corp. Support” queue. I
want them to see each other’s queues. However, I would like them to be
to forward tickets on to the other’s queues. What permissions would I
to set up to make this happen? I’ve got it most of the way, to where it
actually works, but when I forward a ticket, at the top in the yellow
bar it says permission was denied… though the ticket still seems to
SeeQueue but not ShowTicket.
Although forward is not really the correct term here, one moves ticets
Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com