Hmm… not sure if I understand the security concern you raised.
The effect I am trying to achieve is this:
I have a queue called “Applicatoin Service Queue”. The AppServe group works with developers and QA and IT and Client Services w/ issues like production application patches and upgrades, data loading, stage/test/dev environments management, etc.
Communication in this queue is generally of interest to many people in different groups. So when a user creates a ticket in the AppServQueue, the capabilities I’d like to give to users are the following:
a. Requestor can perform CreateTicket and ReplyToTicket in AppServQueue
b. Requestor can specify any number of RT users in the CC Watcher list upon ticket creation.
c. RT Users in the CC Watcher list for that particular ticket can see the ticket and ReplyToTicket (but nothing else)
d. Requestor may choose to add/delete people from the CC Watch list as the ticket progresses (ie, during the course of back-and-forth replies on the ticket, Requestor realizes more or less people should be made aware of the issues discussed in the ticket; Requestor then makes permanent changes to the cc list so all subsequent replies on the ticket are visible to the new list of cc’s)
e. The users/group that managed the AppServQueue can to anything to the tickets in that queue.
This is how I set up the rights to achieve the above:
a. In Global rights, grant CreateTicket, SeeQueue to Privileged role (currently, all RT users are company staff; all RT users are allowed see his requests and create requests in any queues)
b. When a user creates a new ticket, he can specify any number of other RT user email addresses in cc; and that list of cc:'s seems to persist during the life of the ticket (in fact, the little comment in paren for the cc: field states that fact). This ability seems to part of CreateTicket.
c: In Global rights, grant ReplyToTicket and ShowTicket to the role CC ; btw, same rights are granted to Requestor (so he can reply to and see his own requests)
d: THIS IS THE PART I HAVEN’T FIGURED OUT HOW TO ACHIEVE.
e. I have a group (AppServGroup) that have been granted a bunch of rights on the queue, including ModifyTicket. This is the only group of users that can modify CC (via People) permanently for a given ticket currently (I think the capability is part of the ModifyTicket right).
The workaround right now is to have AppServGroup make permanent changes to People.
PeiFrom: Jesse Vincent [mailto:firstname.lastname@example.org]
Sent: Wed 12/8/2004 9:48 AM
To: Pei Ku
Subject: Re: [rt-users] Make CC list persistent
> Is there another right that allows a ticket requester to make
> persistent changes to the cc list when replying to a ticket?
The danger with that is that a malicious user could forge ticket
correspondence to get themself cced on potentially private tickets.
> Be sure to check out the RT wiki at http://wiki.bestpractical.com