I did that query and it returned 26 rows.
All of the returned rows say the PrinicpalType is Group, which I would
assume means the ‘OwnTicket’ right is not granted to a specific user
anywhere in RT.
I didn’t want to make that assumption, just in case it was incorrect, so I
took a look at the data schema for 3.8.10, which I believe is here:
http://bestpractical.com/rt/3.4-schema.png (note** My SQL skills are
extremely rusty… been working in a Unidata database for 13-14 yrs)
It looks like ACL.PrincipalId is a foreign key to Principals, and id is the
primary key for Principals and Users?
With that scenario, I ran a query linking them all together and attempting
to return user info for any of the 26 rows from the original query. No user
info is returned for any of them (query used below)
mysql> select p.id,p.PrincipalType,u.Name,u.EmailAddress,u.RealName
→ from Principals p
→ left join ACL a on a.PrincipalId = p.id
→ left join Users u on u.id = p.id
→ where a.RightName=‘OwnTicket’;
Just for a wild attempt at getting what I was expecting based on Kevin’s
response (I wanted to see 5 users that had the ‘OwnTicket’ right) I tried
switching to ACL.id as a foreign key. It returned only 9 rows, only 2 of
which were users, but neither were the users that are showing up in the
Owner dropdown that shouldn’t be. I believe this was just chance, garbage
data, as I believe the first query showed the real results, but I was
fishing…
With this information I did some more investigating to understand the
symptom better. It looks like these users only show up in the owner
dropdown of Queues that existed prior to our upgrade from 3.2.1 → 3.8.10.
Could there have been something missed in this upgrade?
Thanks!
Mike.On Tue, Oct 14, 2014 at 12:56 PM, Kevin Falcone falcone@bestpractical.com wrote:
On Fri, Oct 10, 2014 at 01:47:59PM -0400, Mike Johnson wrote:
I look at the list of owners for a queue, and there are 5 users that
show up in
that list(that shouldn’t be there), but when I go to their account, they
aren’t
part of any groups, and they don’t have any rights assigned to them
specifically that I can see(at the user level, or at any queue level).
Generally this means some queue granted OwnTicket to Unprivileged,
check all your queues, even your disabled ones. Alternately, select *
from ACL where RightName = ‘OwnTicket’ and work the other way.
RT 4.2 explicitly excludes Unprivileged users from the OwnTicket
dropdown because of this someone common mistake.
-kevin
–
RT Training November 4 & 5 Los Angeles
http://bestpractical.com/training
Mike Johnson
Datatel Programmer/Analyst
Northern Ontario School of Medicine
955 Oliver Road
Thunder Bay, ON P7B 5E1
Phone: (807) 766-7331
Email: mike.johnson@nosm.ca