"Modify Ticket" permissions too broad?

I’m finding the “modify ticket” permission setting is too broad for some
situations. Here’s my issue…

Let’s say I have two queues, A, and B. I have a group associated with
each queue as the “responsible” group (as in this group will handle
tickets in each queue, so they can own tickets, close them, etc).
However, sometimes someone from group A may need to create a ticket in
queue B that relates to a project they’re working on, and they’ll want
to link a ticket they own to that other ticket as a dependency.

Ticket 1 in queue A owned by Adam (member of queue A group). Adam needs
Bob in queue B to complete a task for him, this task must get done for
ticket 1 to continue. So Adam creates ticket 2 in queue B, and wants to
make it a dependency of ticket 1. However, in order to link the
tickets, Adam needs “modify ticket” permissions in queue B, but we don’t
want Adam to be able to resolve/delete tickets in queue B, or reply to
tickets in queue B on which he isn’t the requester. I don’t want to
give requester the ModifyTicket right, as then unprivileged end
users/customers would be able to close their own tickets, which we don’t
want.

As far as I can tell, there’s no way to do this. Is that correct, or am
I missing something?

Permissions are set like this:
Queue A:
Owner has ModifyTicket, ReplyToTicket
Requester has ReplyToTicket, ShowTicket
Group A has AssignCustomFields, CommentOnTicket, CreateTicket,
OwnTicket, SeeQueue, ShowOutgoingEmail, ShowTicket, ShowTicketComments,
StealTicket, TakeTicket, Watch, WatchAsAdminCc
Group B has CreateTicket, SeeQueue, ShowTicket, ShowTicketComments

Queue B is the same, the permissions for groups A and B are just
swapped.

On Tue, 30 Jun 2009 14:42:34 -0400, "Jerrad Pierce"
jpierce@cambridgeenergyalliance.org said:

Can’t you assign the permission by role in Group Rights?
I.e; Requestor can modify ticket?

Not unless there’s a way to nest privileges that I’m missing (such as
Requestor who is a member of Group A), otherwise our customers will have
ModifyTicket on any tickets they create, which is not what we want.

Oh geeze, how did I miss the StrictLinkACL setting in RT_Config before
:confused: Sorry folks! That defaults to 1, setting it to 0 should take care
of this issue for me.

Can’t you assign the permission by role in Group Rights?
I.e; Requestor can modify ticket?

Cambridge Energy Alliance: Save money. Save the planet.

Checkout StrictLinkACL in the config.On Tue, Jun 30, 2009 at 10:38 PM, Nick Kartsioukaschange+lists.rt@nightwind.net wrote:

I’m finding the “modify ticket” permission setting is too broad for some
situations. Here’s my issue…

Let’s say I have two queues, A, and B. I have a group associated with
each queue as the “responsible” group (as in this group will handle
tickets in each queue, so they can own tickets, close them, etc).
However, sometimes someone from group A may need to create a ticket in
queue B that relates to a project they’re working on, and they’ll want
to link a ticket they own to that other ticket as a dependency.

Ticket 1 in queue A owned by Adam (member of queue A group). Adam needs
Bob in queue B to complete a task for him, this task must get done for
ticket 1 to continue. So Adam creates ticket 2 in queue B, and wants to
make it a dependency of ticket 1. However, in order to link the
tickets, Adam needs “modify ticket” permissions in queue B, but we don’t
want Adam to be able to resolve/delete tickets in queue B, or reply to
tickets in queue B on which he isn’t the requester. I don’t want to
give requester the ModifyTicket right, as then unprivileged end
users/customers would be able to close their own tickets, which we don’t
want.

As far as I can tell, there’s no way to do this. Is that correct, or am
I missing something?

Permissions are set like this:
Queue A:
Owner has ModifyTicket, ReplyToTicket
Requester has ReplyToTicket, ShowTicket
Group A has AssignCustomFields, CommentOnTicket, CreateTicket,
OwnTicket, SeeQueue, ShowOutgoingEmail, ShowTicket, ShowTicketComments,
StealTicket, TakeTicket, Watch, WatchAsAdminCc
Group B has CreateTicket, SeeQueue, ShowTicket, ShowTicketComments

Queue B is the same, the permissions for groups A and B are just
swapped.


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Best regards, Ruslan.