How to get user rights more granular?

Dear community,

I have the following problem: rt5 gets its users imported from an LDAP server. After authentication the user only sees the very reduced self-service page (with only the tickets the user opened himself).
When the admin gives the user granted rights (Privileged) the user has a dashboard with tickets and queues, but has also the admin button. What we want is that users of a certain LDAp group see all open tickets of his/her queue (e.g. done by a ticket search), but no admin button.

Under Global → Group Rights I can set the corresponding rights for the LDAP groups the user is in. There are three categories, General, Staff and Administrators. As far as
I understand I can assign the groups to a queue under Queues → Group rights → , but it does not serve.

According to the docu GDPR - RT 5.0.2 Documentation - Best Practical

Privileged users in RT are typically the staff of an organization

but there seems no possibility to get users into the “Staff” group without being admin the same time.

Any idea how to realize that?

Thanks in advance

Did you grant these users this right:

Show Admin menu ShowConfigTab

You can revoke that and they then shouldn’t be able to see the admin menu

You can look at one of your users in the Admin->Tools->Rights inspector page to see how they’re being granted the rights you don’t want them to have

I never saw a “ShowConfigTab” option within the right for users or groups. It seems that the user automatically becomes admin as soon as he is added to the priviledged users.
Nevertheless there was the right in the Rights Inspector for Everybody (don’t know where it came from).
I revoked it now, but it doesn’t seem to change anything, the user has still the Admin button.

Meanwhile I started the installation from the very beginning. Now, privileged users can only see the extended dashboards, not the admin view. That’s what we want. Thanks for the hint.

Now we get another problem. I must click on every user who has to get privileged/staff rights. I don’t see a possibility to privilege a whole ldap group. As we have about 60 people to become privileged, that generates a lot of manual effort. (How) can I give privileged rights to a whole group?

Admin->Global->Group rights allows you to grant globally to groups

In the global group rights there are tabs for Global, Staff and Administrators. But the tab for staff only works for users who are privileged. For enabling privileged I mut go to the admin-> users menu and klick on every single user. I don’t see an option “privileged” in any group menu.