Hi,
I have users who can modify tickets in a queue that I didn’t expect.
All those users are are assigned to just one group with these permissions on the queue:
CommentOnTicket
OwnTicket
SeeQueue
ShowTicket
ShowTicketComments
The only other thing that applies to them is the Everybody group with ReplyTicket. Privileged has no added rights.
Is ModifyTicket implied by OwnTicket? I’ve seen comments that imply that it isn’t.
Christopher
(RT 3.6.1)
Christopher,
What rights have you given the role "owner" both globally and for that
queue? CommentOnTicket allows modification ONLY to the comments part of
a ticket, not the status or dates, etc. Do you have RightsMatrix? That
will help a great deal in finding out “who” can do “what” and “where”
and thru what rights. You could have inadvertently granted some rights
thru “fall-thru” inclusion to rights for roles. Hope this helps.
Kenn
LBNLOn 12/5/2007 11:06 PM, Christopher Short wrote:
Hi,
I have users who can modify tickets in a queue that I didn’t expect.
All those users are are assigned to just one group with these
permissions on the queue:CommentOnTicket
OwnTicket
SeeQueue
ShowTicket
ShowTicketCommentsThe only other thing that applies to them is the Everybody group with
ReplyTicket. Privileged has no added rights.Is ModifyTicket implied by OwnTicket? I’ve seen comments that imply that
it isn’t.Christopher
(RT 3.6.1)
SAVE THOUSANDS OF DOLLARS ON RT SUPPORT:
If you sign up for a new RT support contract before December 31, we’ll take
up to 20 percent off the price. This sale won’t last long, so get in touch today.
Email us at sales@bestpractical.com or call us at +1 617 812 0745.Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.comDiscover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
This RT extension can help you understand how users end up with rights.On 12/6/07, Christopher Short cshort@n6.com.au wrote:
Hi,
I have users who can modify tickets in a queue that I didn’t expect.
All those users are are assigned to just one group with these permissions on
the queue:CommentOnTicket
OwnTicket
SeeQueue
ShowTicket
ShowTicketCommentsThe only other thing that applies to them is the Everybody group with
ReplyTicket. Privileged has no added rights.Is ModifyTicket implied by OwnTicket? I’ve seen comments that imply that it
isn’t.Christopher
(RT 3.6.1)
SAVE THOUSANDS OF DOLLARS ON RT SUPPORT:
If you sign up for a new RT support contract before December 31, we’ll take
up to 20 percent off the price. This sale won’t last long, so get in touch
today.
Email us at sales@bestpractical.com or call us at +1 617 812 0745.Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.comDiscover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
Thanks Kenneth, I hadn’t heard of RTx::RightsMatrix before, I’ll give it a go.
However, I don’t have any (additional) rights for owners on that group or globally. In our system all Privileged users have ReplyTicket, everything else is on a Group basis.
Hmmm maybe I added custom fields with global privileged modify access. Aha!
(But the original problem was the “worked” field which seems like a loophole in RT, people with Comment rights can edit several fields on the Comment screen, including Worked)
cheers,
ChristopherFrom: Kenneth Crocker [mailto:KFCrocker@lbl.gov]
Sent: Friday, December 07, 2007 4:52 AM
To: Christopher Short
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Modify without ModifyTicket?
Christopher,
What rights have you given the role "owner" both globally and for that
queue? CommentOnTicket allows modification ONLY to the comments part of
a ticket, not the status or dates, etc. Do you have RightsMatrix? That
will help a great deal in finding out “who” can do “what” and “where”
and thru what rights. You could have inadvertently granted some rights
thru “fall-thru” inclusion to rights for roles. Hope this helps.
Kenn
LBNL
Christopher,
Custom Fields for "tickets" have two areas where privileges can be
granted and both should be looked at and set. Navigate thus
Configuration>CustomFields>(select field)>Applies To. This will tell you
which queues are using it on their tickets. If a user/group member
doesn’t have rights to that queue, they won’t be able to see/modify a
ticket their, let alone see/modify any CF’s that are applied. Also, even
if a group HAS the right to see/modify a queue/ticket AND have the
rights to see/modify a CF, if the CF isn’t applied to the queue where
that particular group has access, it cannot be seen/modified. Now,
navigate thus, Configuration>CustomFields>(select field)>Group rights.
This will tell you who can do what to this particular CF on the basis of
System/User defined groups, IF that CF has been applied to the queue
where they want to see/modify it. Notice their are no roles listed.
That’s because ticket CF’s do not relate to owner’s or requestors, etc.
They relate to Queue/Tickets only. Now, the privilege “AdminCustomField”
means that a particular user/group can change the way the CF is set
up,like add values, change sort sequences, type (select one value, Fill
in one text, etc.), description, etc. This right should be reserved for
the Admin person, the one in charge of the RT system. Otherwise, you
might end up with one person updating another person’s CF and you get
all kinds of trouble from that.
So, basically (in a general way), a CF should be setup by Admin types
(System and/or Queue) and the see/modify privileges should be given to
the user groups that have access to the queues WHERE the CF is applied.
I like your setup of granting the Global right “ReplToTicket” to all
Privileged Users and having everything else on the group basis. It’s
simpler and easier to maintain. You might want to add the following
rights to all Privileged users as well; “CreateSavedSearch”,
“EditSavedSearches”, “LoadSavedSearch”, “ShowSavedSearches”, and
“ModifySelf”. This will allow these privileges ONLY if they are in a
group that has rights (“SeeGroup”, “ShowTicket”) to a queue. That way
you don’t have to grant those rights more often on a group basis, etc.
For those people with limited rights (comment, etc.) as a group to a
queue, that group should NOT have “ModifyCustomField” rights to that CF.
Hope this helps.
Kenn
LBNLOn 12/6/2007 5:22 PM, Christopher Short wrote:
Thanks Kenneth, I hadn’t heard of RTx::RightsMatrix before, I’ll give it a go.
However, I don’t have any (additional) rights for owners on that group or globally. In our system all Privileged users have ReplyTicket, everything else is on a Group basis.
Hmmm maybe I added custom fields with global privileged modify access. Aha!
(But the original problem was the “worked” field which seems like a loophole in RT, people with Comment rights can edit several fields on the Comment screen, including Worked)
cheers,
Christopher-----Original Message-----
From: Kenneth Crocker [mailto:KFCrocker@lbl.gov]
Sent: Friday, December 07, 2007 4:52 AM
To: Christopher Short
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Modify without ModifyTicket?Christopher,
What rights have you given the role "owner" both globally and for thatqueue? CommentOnTicket allows modification ONLY to the comments part of
a ticket, not the status or dates, etc. Do you have RightsMatrix? That
will help a great deal in finding out “who” can do “what” and “where”
and thru what rights. You could have inadvertently granted some rights
thru “fall-thru” inclusion to rights for roles. Hope this helps.Kenn
LBNLOn 12/5/2007 11:06 PM, Christopher Short wrote:
Hi,
I have users who can modify tickets in a queue that I didn’t expect.
All those users are are assigned to just one group with these
permissions on the queue:CommentOnTicket
OwnTicket
SeeQueue
ShowTicket
ShowTicketCommentsThe only other thing that applies to them is the Everybody group with
ReplyTicket. Privileged has no added rights.Is ModifyTicket implied by OwnTicket? I’ve seen comments that imply that
it isn’t.Christopher
(RT 3.6.1)
SAVE THOUSANDS OF DOLLARS ON RT SUPPORT:
If you sign up for a new RT support contract before December 31, we’ll take
up to 20 percent off the price. This sale won’t last long, so get in touch today.
Email us at sales@bestpractical.com or call us at +1 617 812 0745.Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.comDiscover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
SAVE THOUSANDS OF DOLLARS ON RT SUPPORT:
If you sign up for a new RT support contract before December 31, we’ll take
up to 20 percent off the price. This sale won’t last long, so get in touch today.
Email us at sales@bestpractical.com or call us at +1 617 812 0745.Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.comDiscover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com