Handful of users showing up in owner dropdown but have no access

Mike_Johnson1 · October 10, 2014, 5:47pm

I’m misunderstanding something with this I’m sure…

I look at the list of owners for a queue, and there are 5 users that show
up in that list(that shouldn’t be there), but when I go to their account,
they aren’t part of any groups, and they don’t have any rights assigned to
them specifically that I can see(at the user level, or at any queue level).

It seems that I can deselect “Let this user access RT” (“Let this user be
granted rights (Privileged)” on them all are deselected already) and they
drop from the list, but these users need to submit tickets still. They
simply have moved in the organization to requestors only, not having access
to RT for anything else.

What am I missing?

RT 3.8.10.
Thanks in advance!
Mike.
Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

Kevin_Falcone · October 14, 2014, 4:56pm

I look at the list of owners for a queue, and there are 5 users that show up in
that list(that shouldn’t be there), but when I go to their account, they aren’t
part of any groups, and they don’t have any rights assigned to them
specifically that I can see(at the user level, or at any queue level).

Generally this means some queue granted OwnTicket to Unprivileged,
check all your queues, even your disabled ones. Alternately, select *
from ACL where RightName = ‘OwnTicket’ and work the other way.

RT 4.2 explicitly excludes Unprivileged users from the OwnTicket
dropdown because of this someone common mistake.

-kevin

Mike_Johnson1 · October 15, 2014, 3:56pm

I did that query and it returned 26 rows.
All of the returned rows say the PrinicpalType is Group, which I would
assume means the ‘OwnTicket’ right is not granted to a specific user
anywhere in RT.

I didn’t want to make that assumption, just in case it was incorrect, so I
took a look at the data schema for 3.8.10, which I believe is here:
http://bestpractical.com/rt/3.4-schema.png (note** My SQL skills are
extremely rusty… been working in a Unidata database for 13-14 yrs)

It looks like ACL.PrincipalId is a foreign key to Principals, and id is the
primary key for Principals and Users?

With that scenario, I ran a query linking them all together and attempting
to return user info for any of the 26 rows from the original query. No user
info is returned for any of them (query used below)
mysql> select p.id,p.PrincipalType,u.Name,u.EmailAddress,u.RealName
→ from Principals p
→ left join ACL a on a.PrincipalId = p.id
→ left join Users u on u.id = p.id
→ where a.RightName=‘OwnTicket’;

Just for a wild attempt at getting what I was expecting based on Kevin’s
response (I wanted to see 5 users that had the ‘OwnTicket’ right) I tried
switching to ACL.id as a foreign key. It returned only 9 rows, only 2 of
which were users, but neither were the users that are showing up in the
Owner dropdown that shouldn’t be. I believe this was just chance, garbage
data, as I believe the first query showed the real results, but I was
fishing…

With this information I did some more investigating to understand the
symptom better. It looks like these users only show up in the owner
dropdown of Queues that existed prior to our upgrade from 3.2.1 → 3.8.10.

Could there have been something missed in this upgrade?

Thanks!
Mike.On Tue, Oct 14, 2014 at 12:56 PM, Kevin Falcone falcone@bestpractical.com wrote:

On Fri, Oct 10, 2014 at 01:47:59PM -0400, Mike Johnson wrote:

I look at the list of owners for a queue, and there are 5 users that
show up in
that list(that shouldn’t be there), but when I go to their account, they
aren’t
part of any groups, and they don’t have any rights assigned to them
specifically that I can see(at the user level, or at any queue level).

Generally this means some queue granted OwnTicket to Unprivileged,
check all your queues, even your disabled ones. Alternately, select *
from ACL where RightName = ‘OwnTicket’ and work the other way.

RT 4.2 explicitly excludes Unprivileged users from the OwnTicket
dropdown because of this someone common mistake.

-kevin

–
RT Training November 4 & 5 Los Angeles
http://bestpractical.com/training

Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca

Kevin_Falcone · October 16, 2014, 4:34pm

I did that query and it returned 26 rows.
All of the returned rows say the PrinicpalType is Group, which I would assume
means the ‘OwnTicket’ right is not granted to a specific user anywhere in RT.

Nope, every user in RT has a group for ACLs, it’s in fact called an
ACL Equivalence Group.

You should look at the Object* columns and also chase out to the
actual Principals for those PrincipalIds (you may need to get a group
and then get it’s member and then get the user for ACL Equivalence
Groups).

With this information I did some more investigating to understand the symptom
better. It looks like these users only show up in the owner dropdown of Queues
that existed prior to our upgrade from 3.2.1 → 3.8.10.

Most of those changes were related to Custom Fields, not Ownership,
however it’s possible you have some old configurations on a disabled
queue from your 3.2 days that has been forgotten.

-kevin