Permissions by custom field


#1

Greetings,

After reading the permissions wiki I still can’t figure out how to
achieve what my MD wants. Please excuse me if this is described there.
I am still fairly new at RT and the permissions system.

We have a queue called Support where all our product support requests
from clients go into. We also have a custom field called “Client” that
contains the name of the customer the ticket was raised for. Our
customers can log into RT and see all the tickets they originated, but
some managers would like to see all the tickets generated for their
company. How can we set up the permissions to achieve this?

Clients are not allowed to see other client’s tickets, and we would
prefer not to create a queue for each customer, as this sometimes vary.

Any tips would be appreciated. We are running RT 3.6.6.

Thanks :slight_smile:

Braam van Heerden
Conversant Systems (Pty) Ltd
Tel: +27 11 782 2930
Cell: +27 82 336 4643
Skype: braamvh


#2

Braam,

I'm a bit confused. Your subject line mentions permissions and I don't 

see that question here. As to Custom Fields, what is the correlation
between customer and company? Normally, I would think it was one to
one. However, if you are creating tickets for someone else, you can
modify the “Requestor” to be the customer and not you. You will still be
the “creator”. Then, you can have a CF that is the company.
Permissions would be simpler. You could grant the right to "ShowTicket"
Globally to the “Requestor” role and that would keep your “customer"
from seeing other “customer (Requestor)” tickets. Then you merely go to
your Custom Field and apply it to the support queue and then go to
"Group Rights” and grant “SeeCustomField” to Privileged. That way all
privileged users will be able to see that field as well as the ticket in
a queue they are privileged to access. Hope this helps.

Kenn
LBNLOn 7/11/2008 6:01 AM, Braam van Heerden wrote:

Greetings,

After reading the permissions wiki I still can’t figure out how to
achieve what my MD wants. Please excuse me if this is described there.
I am still fairly new at RT and the permissions system.

We have a queue called Support where all our product support requests
from clients go into. We also have a custom field called “Client” that
contains the name of the customer the ticket was raised for. Our
customers can log into RT and see all the tickets they originated, but
some managers would like to see all the tickets generated for their
company. How can we set up the permissions to achieve this?

Clients are not allowed to see other client’s tickets, and we would
prefer not to create a queue for each customer, as this sometimes vary.

Any tips would be appreciated. We are running RT 3.6.6.

Thanks :slight_smile:

Braam van Heerden
Conversant Systems (Pty) Ltd
Tel: +27 11 782 2930
Cell: +27 82 336 4643
Skype: braamvh


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com


#3

Kenneth,

Todd Chapman sent some suggestions I will try.

I will try to be a bit more clear in my problem statement:

We have a single queue called support that handles all tickets from
various customers we have SLA’s with. For ease of use we decided to
only use a single queue and not create a queue per customer (as that
list fluctuates sometimes). Also, we have certain information on what
packages our customers offer to their customers, and how this is
implemented, and all this is bound by NDA’s, so it’s imperative we do
not let one customer see the details of another customer’s tickets. To
differentiate tickets raised by various customers we created a Custom
Field that contains the name of the customer.

Now, the issue is this: CustomerA has got a number of employees: Empl1,
Empl2 and Empl3. Either of them can raise a ticket, and we will respond
and close the ticket. Now, some time later the COO/CEO of CustomerA
requires access to all tickets raised by the various employees to track
who has not done their job, or where contractual violations occurred.

How can we grant this user access to all tickets raised by his company
(and tagged by a certain Custom Field), whilst not allowing him access
to tickets raised by other customers?

Right now I am leaning towards creating a group for every customer, then
add the group as a Requestor/Cc for the ticket. If I understand things
correctly group members should then have access to all tickets created
under that group, if I give ShowTicket to the group, but to no others.
Not sure if there’s an esier way to do this, though.

Thanks :slight_smile:

Braam van Heerden
Conversant Systems (Pty) Ltd
Tel: +27 11 782 2930
Cell: +27 82 336 4643
Skype: braamvh


#4

Braam van Heerden schrieb:

Kenneth,

Todd Chapman sent some suggestions I will try.

I will try to be a bit more clear in my problem statement:

I solved this by creating a queue for the customer and making one user a
privileged user for that queue only.
So he can see all tickets.
Support staff here must move tickets into that queue first, though.
(I think that’s all I had to do, but I can’t remember 100%).

This is really one of the few problematic areas of RT - it’s a common
problem with “control-freak” bosses of partners who want to see all
tickets, so they can judge (from the amount and from cross-reading them)
if there is “a problem” or not…

I wish, this was possible without a special queue.

cu,
Rainer


#5

It is possible without a special queue, and it’s not that hard. :)On Mon, Jul 14, 2008 at 9:25 AM, Rainer Duffner rainer@ultra-secure.de wrote:

Braam van Heerden schrieb:

Kenneth,

Todd Chapman sent some suggestions I will try.

I will try to be a bit more clear in my problem statement:

I solved this by creating a queue for the customer and making one user a
privileged user for that queue only.
So he can see all tickets.
Support staff here must move tickets into that queue first, though.
(I think that’s all I had to do, but I can’t remember 100%).

This is really one of the few problematic areas of RT - it’s a common
problem with “control-freak” bosses of partners who want to see all
tickets, so they can judge (from the amount and from cross-reading them)
if there is “a problem” or not…

I wish, this was possible without a special queue.

cu,
Rainer


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com


#6

Roy,

Here’s the reply from Todd:

your clients are the requestor of the ticket? if so just give the
Requestor role ShowTicket. if every employee of a particular client
needs to see each ticket you may have to create a scrip to add the
client’s group as Cc and give ShowTicket to the Cc role.

Very similar to your solution.

  • Braam

#7

Hi Braam;

Its always interesting to read Todd’s suggestions cause he is always
spot on; but could n’t find them in the thread , ist possible to forward
them to the list please.
With regard to dealing with customers, our implementation here is
exactly as you suggested, we group our customer contacts , if any of the
contacts open a ticket (via web/mail), a scrip action add the rest of
the customer group contacts as requestors; and a set a cf to the
customer name(organisation), then all customer contacts can login to the
self service interface and view/update the tickets.
This have served us well for the past few years, the only issue we get
every now and then, is when we add a new customer contact that need
visibility of old ticket, for this I have a perl script that crawl
tickets looking for tickets with cf for the customer and add the new
contact as requester.
I am not an admirer of queue per customer, my philosophy is that queues
should represent the internal departments.

Regards;
Roy

Braam van Heerden wrote:


#8

Braam,

I agree with the group idea, always have. In fact, you can add yourself 

as a member of each group and create some searches that you can seave
for each individual group. That way, when the other members of each
group wants to run a query, they hav3e several choices they can make
becuae you some some good ones for them and those are available to
everyone in the SAME group. Also, The “group as requestor” is the same
idea as I made of granting “ShowTicket” blobally to the role
"Requestor". That allows requstors the right to see ONLY their tickets
(as long as you didn’t grant “ShowTicket” to another group). The CF for
Customer name can also be used for searches and you can write a scrip to
pre-fill that CF by the "@xxxx.com" or “.org” portion of the email
address and that way all tickets created will automatically have the
correct "Customer NAme’ when created. Just a thought.

Kenn
LBNLOn 7/14/2008 5:32 AM, Braam van Heerden wrote:

Kenneth,

Todd Chapman sent some suggestions I will try.

I will try to be a bit more clear in my problem statement:

We have a single queue called support that handles all tickets from
various customers we have SLA’s with. For ease of use we decided to
only use a single queue and not create a queue per customer (as that
list fluctuates sometimes). Also, we have certain information on what
packages our customers offer to their customers, and how this is
implemented, and all this is bound by NDA’s, so it’s imperative we do
not let one customer see the details of another customer’s tickets. To
differentiate tickets raised by various customers we created a Custom
Field that contains the name of the customer.

Now, the issue is this: CustomerA has got a number of employees: Empl1,
Empl2 and Empl3. Either of them can raise a ticket, and we will respond
and close the ticket. Now, some time later the COO/CEO of CustomerA
requires access to all tickets raised by the various employees to track
who has not done their job, or where contractual violations occurred.

How can we grant this user access to all tickets raised by his company
(and tagged by a certain Custom Field), whilst not allowing him access
to tickets raised by other customers?

Right now I am leaning towards creating a group for every customer, then
add the group as a Requestor/Cc for the ticket. If I understand things
correctly group members should then have access to all tickets created
under that group, if I give ShowTicket to the group, but to no others.
Not sure if there’s an esier way to do this, though.

Thanks :slight_smile:

Braam van Heerden
Conversant Systems (Pty) Ltd
Tel: +27 11 782 2930
Cell: +27 82 336 4643
Skype: braamvh

-----Original Message-----
From: Kenneth Crocker [mailto:KFCrocker@lbl.gov]
Sent: 11 July 2008 18:39 PM
To: Braam van Heerden
Cc: rt-users@bestpractical.com
Subject: Re: [rt-users] Permissions by custom field

Braam,

I’m a bit confused. Your subject line mentions
permissions and I don’t see that question here. As to Custom
Fields, what is the correlation between customer and company?
Normally, I would think it was one to one. However, if you
are creating tickets for someone else, you can modify the
"Requestor" to be the customer and not you. You will still be
the “creator”. Then, you can have a CF that is the company.
Permissions would be simpler. You could grant the right
to "ShowTicket"
Globally to the “Requestor” role and that would keep your “customer"
from seeing other “customer (Requestor)” tickets. Then you
merely go to your Custom Field and apply it to the support
queue and then go to “Group Rights” and grant
"SeeCustomField” to Privileged. That way all privileged users
will be able to see that field as well as the ticket in a
queue they are privileged to access. Hope this helps.

Kenn
LBNL

On 7/11/2008 6:01 AM, Braam van Heerden wrote:

Greetings,

After reading the permissions wiki I still can’t figure out how to
achieve what my MD wants. Please excuse me if this is
described there.
I am still fairly new at RT and the permissions system.

We have a queue called Support where all our product
support requests
from clients go into. We also have a custom field called "Client"
that contains the name of the customer the ticket was
raised for. Our
customers can log into RT and see all the tickets they
originated, but
some managers would like to see all the tickets generated for their
company. How can we set up the permissions to achieve this?

Clients are not allowed to see other client’s tickets, and we would
prefer not to create a queue for each customer, as this
sometimes vary.
Any tips would be appreciated. We are running RT 3.6.6.

Thanks :slight_smile:

Braam van Heerden
Conversant Systems (Pty) Ltd
Tel: +27 11 782 2930
Cell: +27 82 336 4643
Skype: braamvh


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com Commercial support:
sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from
O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com


#9

Todd Chapman schrieb:

It is possible without a special queue, and it’s not that hard. :slight_smile:

OK, can you point me to where this is described?
Or describe it yourself?
Because I was looking for it very long in the wiki and couldn’t find it :wink:

Best Regards,
Rainer


#10

I described it very early in this thread. Basically:

  1. create a group for each customer.
  2. create a scrip that assigns that group as a Cc to the ticket when
    the ticket is created.
  3. give ShowTicket to the Cc role.On Tue, Jul 15, 2008 at 12:19 PM, Rainer Duffner rainer@ultra-secure.de wrote:

Todd Chapman schrieb:

It is possible without a special queue, and it’s not that hard. :slight_smile:

OK, can you point me to where this is described?
Or describe it yourself?
Because I was looking for it very long in the wiki and couldn’t find it :wink:

Best Regards,
Rainer