Quandry: secure parts of a ticket... should this be done with related tickets?

Hi,

The company I work for has been using RT strictly as internal company
workflow via the web.

There has recently been a request made to me for including part of the
ticket as secure so that the creator inputs the secure info when it is
in a certain queue, another part of the company (X) also has permission
to use this secure information, but then it gets forwarded to another
part of the company(Y) and they are not allowed to see this information.

This is a complicated situation, and the following questions come to
mind:

  1. how do I limit who can see tickets in a certain queue? Currently
    they all have global configuration of ACLs.

  2. Should I create a showSecureInfo and an EditSecureInfo module and it
    checks to see who the current viewer is to see whether they can view the
    module?

  3. after the ticket’s work has been complete
    (status=resolved/status=dead), how should I allow this info to be
    viewed? The same as 2)?

  4. should this be done with related tickets, with the secure info going
    in one and the task-related work going in another and then linking them?
    Would this produce the correct relationship? How would I guarantee that
    a user in Y couldn’t see the secure info?

  5. I thought about copying Create.html into another file within an
    .htaccess protected directory and forcing all tickets for that queue to
    go to that directory (which would require a password), but I’m sure that
    will only make things really messy.

Any help with this would be appreciated.

Thanks!

Colleen

Colleen Noonan

Colleen wrote:

  1. how do I limit who can see tickets in a certain queue? Currently
    they all have global configuration of ACLs.

Configure rights per queue instead of globally. :slight_smile:

  1. Should I create a showSecureInfo and an EditSecureInfo module and it
    checks to see who the current viewer is to see whether they can view the
    module?

Can you (ab)use Comments for this purpose? ie, give your Secure
people “ShowComment” and not the other group?

  1. after the ticket’s work has been complete
    (status=resolved/status=dead), how should I allow this info to be
    viewed? The same as 2)?

Business process question.

  1. should this be done with related tickets, with the secure info going
    in one and the task-related work going in another and then linking them?

You could do, I guess.

Would this produce the correct relationship? How would I guarantee that
a user in Y couldn’t see the secure info?

Different queues with different access.

  1. I thought about copying Create.html into another file within an
    .htaccess protected directory and forcing all tickets for that queue to
    go to that directory (which would require a password), but I’m sure that
    will only make things really messy.

Don’t go that way. :slight_smile:
Phil Homewood, Systems Janitor, www.SnapGear.com
pdh@snapgear.com Ph: +61 7 3435 2810 Fx: +61 7 3891 3630
SnapGear - Custom Embedded Solutions and Security Appliances

  1. after the ticket’s work has been complete
    (status=resolved/status=dead), how should I allow this info to be
    viewed? The same as 2)?

Business process question.

I am mostly a lurker here, but wanted to interject on this one.

Business process in relation to a crm environment is a school of thought all
to itself. Perhaps this is worthy of its own mailing list? I am comfortable
with the tech side of things and like to keep up to speed on the add ons and
updates etc, but, being able to compare nontetch notes with others that use
RT in various ways and ask the sort of questions like appears above would be
interesting and useful. It could be something like rt-business?

If this isn’t something Best Practical wants to do I wouldn’t mind hosting
such a mailing list. Assuming 1, its permitted by Jesse & Team and 2, there
is interest here in such a thing. I don¹t want to be the only guy on the
list :slight_smile:

Thoughts?

Mitchell

Mitchell - count me in. This is the information I am looking for as well.From: Mitchell Wright [mailto:webmaster@nimm.com]
Sent: Friday, December 13, 2002 6:59 AM
To: Phil Homewood; rt-users@lists.fsck.com; rt-devel@lists.fsck.com
Subject: Re: [rt-devel] quandry: secure parts of a ticket… should this be
done with related tickets?

  1. after the ticket’s work has been complete
    (status=resolved/status=dead), how should I allow this info to be
    viewed? The same as 2)?

Business process question.

I am mostly a lurker here, but wanted to interject on this one.

Business process in relation to a crm environment is a school of thought all
to itself. Perhaps this is worthy of its own mailing list? I am comfortable
with the tech side of things and like to keep up to speed on the add ons and
updates etc, but, being able to compare nontetch notes with others that use
RT in various ways and ask the sort of questions like appears above would be
interesting and useful. It could be something like rt-business?

If this isn’t something Best Practical wants to do I wouldn’t mind hosting
such a mailing list. Assuming 1, its permitted by Jesse & Team and 2, there
is interest here in such a thing. I don¹t want to be the only guy on the
list :slight_smile:

Thoughts?

Mitchell

rt-devel mailing list
rt-devel@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-devel

-----Original Message-----
From: Phil Homewood [mailto:pdh@snapgear.com]
Sent: Thursday, December 12, 2002 3:08 PM

Colleen wrote:

  1. how do I limit who can see tickets in a certain queue? Currently
    they all have global configuration of ACLs.

Configure rights per queue instead of globally. :slight_smile:

ok, I tried this. It doesn’t seem to work as expected.

I have 10 users and 5 queues (1 of which is “secure” and should only
allow the 3 users with privileges"), lets say. I took away all their
global rights except for “modify self”.

I put in rights for all 10 users for the 4 ordinary queues and for the
secure queue, I only put permissions in for those 3 users. I logged out
and logged back in as an average user (no secure permissions) and I
tried to ‘Create a Ticket’ in the secure queue. I was allowed to do
this.

Isn’t that odd? How can I fix this?

  1. Should I create a showSecureInfo and an EditSecureInfo module and
    it

checks to see who the current viewer is to see whether they can view
the

module?

Can you (ab)use Comments for this purpose? ie, give your Secure
people “ShowComment” and not the other group?

I got this working.

Thanks!

Colleen

Colleen wrote:

I put in rights for all 10 users for the 4 ordinary queues and for the
secure queue, I only put permissions in for those 3 users. I logged out
and logged back in as an average user (no secure permissions) and I
tried to ‘Create a Ticket’ in the secure queue. I was allowed to do
this.

What do the following commands show?

rtadmin --queue secure_queue --list-rights
rtadmin --system --list-rights

(You probably want to run those as the unix user corresponding
to your SuperUser, eg. root.)
Phil Homewood, Systems Janitor, www.SnapGear.com
pdh@snapgear.com Ph: +61 7 3435 2810 Fx: +61 7 3891 3630
SnapGear - Custom Embedded Solutions and Security Appliances

-----Original Message-----
From: Phil Homewood [mailto:pdh@snapgear.com]
Sent: Monday, December 16, 2002 6:23 PM
To: rt-devel@lists.fsck.com
Subject: Re: [rt-devel] quandry: secure parts of a ticket… should
this
be done with related tickets?

Colleen wrote:

I put in rights for all 10 users for the 4 ordinary queues and for
the

secure queue, I only put permissions in for those 3 users. I logged
out

and logged back in as an average user (no secure permissions) and I
tried to ‘Create a Ticket’ in the secure queue. I was allowed to do
this.

What do the following commands show?

rtadmin --queue secure_queue --list-rights
rtadmin --system --list-rights

I have never used rtadmin and just now when I attempted to, I received
the following error:

[root@bizarro bin]# ./rtadmin
Can’t locate RT/Interface/CLI.pm in @INC (@INC contains:
/usr/local/rt/etc /usr/local/rt/lib /usr/lib/perl5/5.6.1/i386-linux
/usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl/5.6.1/i386-linux
/usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl/5.6.0
/usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.6.1/i386-linux
/usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl .) at
./rtadmin line 14.
BEGIN failed–compilation aborted at ./rtadmin line 14.

It looks like rtadmin can’t run by itself.

Here’s the first 15 lines of rtadmin:

#!/usr/bin/perl -w

$Header: /raid/cvsroot/rt/bin/rtadmin,v 1.4 2001/12/14 21:42:58 jesse

Exp $# RT is © 1996-2001 Jesse Vincent jesse@fsck.com

use strict;
use Carp;
use Getopt::Long qw(:config pass_through);

use lib “/usr/local/rt/lib”;
use lib “/usr/local/rt/etc”;

use RT::Interface::CLI qw(CleanEnv LoadConfig DBConnect
GetCurrentUser GetMessageContent);

Thanks again, for any help you can offer!

Colleen Noonan

Colleen wrote:

I have never used rtadmin and just now when I attempted to, I received
the following error:

[root@bizarro bin]# ./rtadmin
Can’t locate RT/Interface/CLI.pm in @INC (@INC contains:
/usr/local/rt/etc /usr/local/rt/lib /usr/lib/perl5/5.6.1/i386-linux

Is rtadmin setgid rt?
Is /usr/local/rt/lib/RT/Interface/CLI.pm present?
Does your suidperl work?
Phil Homewood, Systems Janitor, www.SnapGear.com
pdh@snapgear.com Ph: +61 7 3435 2810 Fx: +61 7 3891 3630
SnapGear - Custom Embedded Solutions and Security Appliances

Colleen wrote:

I have never used rtadmin and just now when I attempted to, I received
the following error:

[root@bizarro bin]# ./rtadmin
Can’t locate RT/Interface/CLI.pm in @INC (@INC contains:
/usr/local/rt/etc /usr/local/rt/lib /usr/lib/perl5/5.6.1/i386-linux

Is rtadmin setgid rt?
Is /usr/local/rt/lib/RT/Interface/CLI.pm present?
Does your suidperl work?

And a more subtle gotcha; is /usr/local/rt on a NFS-mounted partition with
root-squash enabled, and is the directory set so that only the RT
user/group can access it?

For that matter, is /usr/local/rt/{etc,lib} the RT directories ?

                         Bruce Campbell                            RIPE
               Systems/Network Engineer                             NCC
             www.ripe.net - PGP562C8B1B             Operations/Security

-----Original Message-----
From: Phil Homewood [mailto:pdh@snapgear.com]
Sent: Monday, December 16, 2002 6:23 PM
To: rt-devel@lists.fsck.com
Subject: Re: [rt-devel] quandry: secure parts of a ticket… should
this
be done with related tickets?

Colleen wrote:

I put in rights for all 10 users for the 4 ordinary queues and for
the

secure queue, I only put permissions in for those 3 users. I logged
out

and logged back in as an average user (no secure permissions) and I
tried to ‘Create a Ticket’ in the secure queue. I was allowed to do
this.

What do the following commands show?

rtadmin --queue secure_queue --list-rights
rtadmin --system --list-rights

(You probably want to run those as the unix user corresponding
to your SuperUser, eg. root.)

Ok Thanks to Phil, Bruce and Darren, I got rtadmin working ok and I
tried the commands above and received:

[root@bizarro bin]# ./rtadmin --queue “CC Worksheets” --list-rights
[root@bizarro bin]# ./rtadmin --system --list-rights
In AdminSystem

I also re-tried the test of having an unprivaledged user create a ticket
in a queue they do not have rights for. The user is still allowed to do
this, unfortunately.

Thanks!
–c

Colleen wrote:

[root@bizarro bin]# ./rtadmin --queue “CC Worksheets” --list-rights
[root@bizarro bin]# ./rtadmin --system --list-rights
In AdminSystem

Sounds like “root” (at the Unix level) doesn’t correspond with
an RT SuperUser. This is getting somewhat hairy, just to fix a
simple sounding problem :slight_smile:

Make sure (in the WebUI) that, under Configuration->Users->root,
the “Unix login” field shows “root”. Make sure, also, that
the “Let this user be granted rights” box is checked. You haven’t
toggled root’s “SuperUser” status in the DB, by any chance?

Hmm. All this just to find out the permissions… maybe it’d be
easier just to ask the DB directly…
Phil Homewood, Systems Janitor, www.SnapGear.com
pdh@snapgear.com Ph: +61 7 3435 2810 Fx: +61 7 3891 3630
SnapGear - Custom Embedded Solutions and Security Appliances