I’m trying to set up RT and make it replace the redmine that we use up to now. Idea is to be able to streamline the way are support requests are coming to us. We’re quite small, and our move to RT aims at making our support better for our customers. Right now people use redmine, email the boss and call the boss on the phone.
We want to change that to either send email@support or connect to RT via the web. People dealing with support will added through RT via LDAP.
My idea of a workflow would the following :
New tickets come in either by email/web.
Person assigned for triage this week would assign the ticket to the best suited person to answer.
I’m now trying to figure out how to setup RT to deal with the above workflow. I think one queue is enough for our need for now. I now need to understand rights.
What do I need to give to the external LDAP based users ?
How do I make sure that client A doesn’t see client’s B ? that’s probably thru a group
How do I make user A and B from the same client see each others issues ( I guess a group).
I’ve been reading docs but none on how to setup rights depending on what one wants.
One approach that comes to mind uses groups like you said:
Create a group for each client company, then add the relevant users to each group
Create a custom role called “Client group” or something where you could either manually add the client group based on the requestor ( Person who created the support request ) or automate it using RT scrips
Grant rights to see ticket based on requestor and the “Client group” role. So that if a user created a ticket they can see and most likely reply on/to it. But also if a user is a member of the group assigned to the Client group custom role they can do the same
See the ExternalSettings docs. You would then assign all of them to a DutyTeam which gives full control on the Support queue.
Create a group per organization where you put all users from that org (e.g. “Client XXX”). Create a Custom Role (e.g. “View”), and grant through that role permission to view the tickets (you do not block them from viewing tickets, they simply are not granted permission to view them). Finally, use a scrip which automatically sets to that Role the group of the creator.
For example:
my $prefix ='Client';
my $role = RT::CustomRole->new( $RT::SystemUser );
$role->Load( 'View' );
return 0 if ! $role->id;
if( $self->TransactionObj->Type eq 'Create' && ( $self->TicketObj->QueueObj->Name eq 'Support' ) ) {
my $requestors = $ticket->Requestors->UserMembersObj;
while( my $r = $requestors->Next ) {
if( ! $r->Privileged ) {
my $groups = $r->OwnGroups;
while( my $group = $groups->Next ) {
my $customer = $group->Name;
if ( $customer =~ s/^($prefix) // ) {
$ticket->AddWatcher( Type => $role->GroupType, PrincipalId => $group->PrincipalId );
}
}
}
}
Ok is this doable in an automatic manner ? I want all the people in my ldap tree to have full control on the queues. How do I assign the fact that LDAP users are un group X, Y or Z ?
There may be a built in way to do it, but I also see you can do a subref for the attr_map values. Meaning you could have some code that takes the email or some other attribute loads the user and then adds them to a group