Question about Query Builder

RT Users
1

All,

Sorry if this has been answered before but I am rather new to RT (good
product though). I have created a couple of queues for some customers and
assigned a group restricted permissions to these queues. When a “rights
restricted” user goes into query builder they will only see the Queues that
they are part of. But, they have the ability to see all Owners, especially
those who do not have rights to the queue.

My guess is that this is because the tool wasn’t designed to allow
"customers" to access their queues as an unrestricted user. If this is the
case, then it is fine, I might just have to hack at the perl.

If “customers” are supposed to be restricted users, then is there a way to
have them be able to see ALL of the tickets that are part of their queue and
not just the ones that are owned by them???

Thanks in advance for your help and sorry for my ignorance.

PS I did do some looking around to find these answers, I just was not able
to find them in the WIKIs or the archives.

Thanks,

Jeremy

2

The is an
confusing explanation of what you are trying to do…

So are you saying you want a user without privileges to be able to
query in RT?

You can grant permissions for a user to see all the tickets in a queue.
But you also have to grant them user rights as well…

Is that what you are asking?

Jeremy Stinson wrote:

All,

Sorry if this has been answered before but I am rather new to RT (good
product though). I have created a couple of queues for some customers
and assigned a group restricted permissions to these queues. When a
“rights restricted” user goes into query builder they will only see the
Queues that they are part of. But, they have the ability to see all
Owners, especially those who do not have rights to the queue.

My guess is that this is because the tool wasn’t designed to allow
“customers” to access their queues as an unrestricted user. If this is
the case, then it is fine, I might just have to hack at the perl.

If “customers” are supposed to be restricted users, then is there a way
to have them be able to see ALL of the tickets that are part of their
queue and not just the ones that are owned by them???

Thanks in advance for your help and sorry for my ignorance.

PS I did do some looking around to find these answers, I just was not
able to find them in the WIKIs or the archives.

Thanks,

Jeremy

http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Be sure to check out the RT Wiki at http://wiki.bestpractical.com

Buy your copy of our new book, RT Essentials, today!

Download a free sample chapter from http://rtbook.bestpractical.com

3

I do apologize. There are three questions in this mess…

  1. We are creating separate queues for each of our customers and allowing them to log into RT to look at open tickets and create tickets on their own. When that user clicks on the “Ticket” link on the left and brings up the Query Builder, the user has the ability to see all the users on the system in the Owners drop-down. This user doesn’t have rights to see other queues and in the Query Builder doesn’t have the ability to choose other Queues.

My questions is: Is this normal behavior for the tool to allow you to choose other owners even though they don’t belong to the same queue? And then that answer brings up a couple more like: Do you have the ability to lock down that user to only see other users who have permission to the same queues as they do? Or, can you remove the “Tickets” link from the left side of the page when a user doesn’t have a certain rights (kind of like configuration only showing up when the user has certain rights).

  1. I think that all my problems would be solved by using unprivileged users but I have not been able to find the correct rights so that they can see all tickets created by all users for the queues that they have permissions to look at, only tickets for which they are the owner.

Thanks in advance for any insight that you might provide.

PS I just ordered the book in case I’m missing something simple :slight_smile:

Jeremy----- Original Message -----
From: Phil Labonte
To: Jeremy Stinson
Cc: rt-users@lists.bestpractical.com
Sent: Friday, October 07, 2005 9:38 AM
Subject: Re: [rt-users] Question about Query Builder

The is an confusing explanation of what you are trying to do…

So are you saying you want a user without privileges to be able to query in RT?

You can grant permissions for a user to see all the tickets in a queue. But you also have to grant them user rights as well…

Is that what you are asking?

Jeremy Stinson wrote:
All,

Sorry if this has been answered before but I am rather new to RT (good product though). I have created a couple of queues for some customers and assigned a group restricted permissions to these queues.  When a "rights restricted" user goes into query builder they will only see the Queues that they are part of. But, they have the ability to see all Owners, especially those who do not have rights to the queue. 

My guess is that this is because the tool wasn't designed to allow "customers" to access their queues as an unrestricted user. If this is the case, then it is fine, I might just have to hack at the perl. 

If "customers" are supposed to be restricted users, then is there a way to have them be able to see ALL of the tickets that are part of their queue and not just the ones that are owned by them??? 

Thanks in advance for your help and sorry for my ignorance. 

PS I did do some looking around to find these answers, I just was not able to find them in the WIKIs or the archives. 

Thanks, 

Jeremy 
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users 

Be sure to check out the RT Wiki at http://wiki.bestpractical.com 

Buy your copy of our new book, RT Essentials, today! 
Download a free sample chapter from http://rtbook.bestpractical.com
4

Jeremy Stinson wrote:

I do apologize. There are three questions in this mess…

  1. We are creating separate queues for each of our customers and allowing them to log into RT to look at open tickets and create tickets on their own. When that user clicks on the “Ticket” link on the left and brings up the Query Builder, the user has the ability to see all the users on the system in the Owners drop-down. This user doesn’t have rights to see other queues and in the Query Builder doesn’t have the ability to choose other Queues.

My questions is: Is this normal behavior for the tool to allow you to choose other owners even though they don’t belong to the same queue? And then that answer brings up a couple more like: Do you have the ability to lock down that user to only see other users who have permission to the same queues as they do? Or, can you remove the “Tickets” link from the left side of the page when a user doesn’t have a certain rights (kind of like configuration only showing up when the user has certain rights).

  1. I think that all my problems would be solved by using unprivileged users but I have not been able to find the correct rights so that they can see all tickets created by all users for the queues that they have permissions to look at, only tickets for which they are the owner.

Have you tried to give Show Ticket and See Queue permissions to the
Unprivileged group on each of the queues you want them to see ??
ie Configuration/Queues// from Sub menu group rights

Roy

5

Roy,

Thanks for the suggestion but it did not work for me. I actually assigned
all rights to both the user group and the upriviliged group and neither
helped when the user was unpriviliged.

Thanks for the suggestion.

JeremyFrom: “Roy El-Hames” rfh@pipex.net
To: “Jeremy Stinson” laxplayer@earthlink.net
Cc: “Phil Labonte” phil.labonte@transcore.com;
rt-users@lists.bestpractical.com
Sent: Friday, October 07, 2005 11:01 AM
Subject: Re: [rt-users] Question about Query Builder

Jeremy Stinson wrote:

I do apologize. There are three questions in this mess…

  1. We are creating separate queues for each of our customers and allowing
    them to log into RT to look at open tickets and create tickets on their
    own. When that user clicks on the “Ticket” link on the left and brings up
    the Query Builder, the user has the ability to see all the users on the
    system in the Owners drop-down. This user doesn’t have rights to see other
    queues and in the Query Builder doesn’t have the ability to choose other
    Queues.
    My questions is: Is this normal behavior for the tool to allow you to
    choose other owners even though they don’t belong to the same queue? And
    then that answer brings up a couple more like: Do you have the ability to
    lock down that user to only see other users who have permission to the
    same queues as they do? Or, can you remove the “Tickets” link from the
    left side of the page when a user doesn’t have a certain rights (kind of
    like configuration only showing up when the user has certain rights).

  2. I think that all my problems would be solved by using unprivileged
    users but I have not been able to find the correct rights so that they can
    see all tickets created by all users for the queues that they have
    permissions to look at, only tickets for which they are the owner.

Have you tried to give Show Ticket and See Queue permissions to the
Unprivileged group on each of the queues you want them to see ??
ie Configuration/Queues// from Sub menu group
rights

Roy

6

I just re-read your original post … it sounds to me you’ll need to undo
all your global rights and apply right to your users on a queue per
queue basis …but this will also lead you to complications …
I am not in favour --personal opinion-- on grouping customers on a queue
per queue basis , its better to use groups

Roy

Jeremy Stinson wrote:

7

Roy: Thanks for your help so far.

I might have screwed up my description, if so i’m sorry.

Users are assigned to groups, groups are assigned to queues, rights are
given to groups on queues. Only the Admin group is given global rights.
Nobody else has been given any global rights.

I have screwed around with the global rights for all users but it is not
helping out…

Any other ideas???From: “Roy El-Hames” rfh@pipex.net
To: “Jeremy Stinson” laxplayer@earthlink.net
Cc: “Phil Labonte” phil.labonte@transcore.com;
rt-users@lists.bestpractical.com
Sent: Friday, October 07, 2005 11:22 AM
Subject: Re: [rt-users] Question about Query Builder

I just re-read your original post … it sounds to me you’ll need to undo
all your global rights and apply right to your users on a queue per queue
basis …but this will also lead you to complications …
I am not in favour --personal opinion-- on grouping customers on a queue
per queue basis , its better to use groups

Roy

Jeremy Stinson wrote:

Roy,

Thanks for the suggestion but it did not work for me. I actually assigned
all rights to both the user group and the upriviliged group and neither
helped when the user was unpriviliged.

Thanks for the suggestion.

Jeremy

----- Original Message ----- From: “Roy El-Hames” rfh@pipex.net
To: “Jeremy Stinson” laxplayer@earthlink.net
Cc: “Phil Labonte” phil.labonte@transcore.com;
rt-users@lists.bestpractical.com
Sent: Friday, October 07, 2005 11:01 AM
Subject: Re: [rt-users] Question about Query Builder

Jeremy Stinson wrote:

I do apologize. There are three questions in this mess…

  1. We are creating separate queues for each of our customers and
    allowing them to log into RT to look at open tickets and create tickets
    on their own. When that user clicks on the “Ticket” link on the left
    and brings up the Query Builder, the user has the ability to see all
    the users on the system in the Owners drop-down. This user doesn’t have
    rights to see other queues and in the Query Builder doesn’t have the
    ability to choose other Queues.
    My questions is: Is this normal behavior for the tool to allow you to
    choose other owners even though they don’t belong to the same queue?
    And then that answer brings up a couple more like: Do you have the
    ability to lock down that user to only see other users who have
    permission to the same queues as they do? Or, can you remove the
    “Tickets” link from the left side of the page when a user doesn’t have
    a certain rights (kind of like configuration only showing up when the
    user has certain rights).

  2. I think that all my problems would be solved by using unprivileged
    users but I have not been able to find the correct rights so that they
    can see all tickets created by all users for the queues that they have
    permissions to look at, only tickets for which they are the owner.

Have you tried to give Show Ticket and See Queue permissions to the
Unprivileged group on each of the queues you want them to see ??
ie Configuration/Queues// from Sub menu group
rights

Roy

8

Users are assigned to groups, groups are assigned to queues, rights are
given to groups on queues. Only the Admin group is given global rights.
Nobody else has been given any global rights.

I have screwed around with the global rights for all users but it is not
helping out…

To recap your problem as I understand it:

You have users, who only have access to one queue, using the Query
Builder. When these users are trying to build a query, the lists of
users (for Owner, etc) display all users on the RT installation, and
what you expect them to display is “only the users who might be
attached to tickets in this queue”.

Is that your problem?

I assume, not having looked at the code, that that pulldown isn’t
filtered, but I’m not sure that joining it to “all users who have
$RIGHT on $CURRENTQUEUE”, aside from impacting performance a bit,
wouldn’t be overly restrictive. (That is, it might preclude you
specifying someone you want to specify: specifically, I don’t think
email users would show up, since they don’t have rights. I’m not sure
how to deal with that.)

Code-hackers: is that pulldown in the Querybuildercurrently filtered?

If not, is there any reasonable way to figure out who should pass the
filter to accomplish what Jeremy is looking for? Or is this why
you shouldn’t assign separate queues for clients? :wink:

Cheers,
– jra
Jay R. Ashworth jra@baylink.com
Designer Baylink RFC 2100
Ashworth & Associates The Things I Think '87 e24
St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274

"NPR has a lot in common with Nascar... we both turn to the left."
	- Peter Sagal, on Wait Wait, Don't Tell Me!
9

Jay,

That is my issue, thank you for describing it in better RT terms :slight_smile: I
understand that separate customer queues is not how this system was designed
but my issue, and please let me know if there is a good way to solve this,
is that there are multiple customers contacts per customer and the customer
wants to see all open tickets. And, they want separate user IDs…

As a short term “fix”, I did edit the /Elements/Tabs so that only people
with certain rights will have access to that link. I think this is a decent
solution since most users will not need that report functionality. What I
will most likely do is create some canned reports for them and possibly
create a new tab for reporting.

Let me know what you think.

Thanks,

Jeremy----- Original Message -----
From: “Jay R. Ashworth” jra@baylink.com
To: rt-users@lists.bestpractical.com
Sent: Friday, October 07, 2005 2:52 PM
Subject: Re: [rt-users] Question about Query Builder

On Fri, Oct 07, 2005 at 12:16:12PM -0400, Jeremy Stinson wrote:

Users are assigned to groups, groups are assigned to queues, rights are
given to groups on queues. Only the Admin group is given global rights.
Nobody else has been given any global rights.

I have screwed around with the global rights for all users but it is not
helping out…

To recap your problem as I understand it:

You have users, who only have access to one queue, using the Query
Builder. When these users are trying to build a query, the lists of
users (for Owner, etc) display all users on the RT installation, and
what you expect them to display is “only the users who might be
attached to tickets in this queue”.

Is that your problem?

I assume, not having looked at the code, that that pulldown isn’t
filtered, but I’m not sure that joining it to “all users who have
$RIGHT on $CURRENTQUEUE”, aside from impacting performance a bit,
wouldn’t be overly restrictive. (That is, it might preclude you
specifying someone you want to specify: specifically, I don’t think
email users would show up, since they don’t have rights. I’m not sure
how to deal with that.)

Code-hackers: is that pulldown in the Querybuildercurrently filtered?

If not, is there any reasonable way to figure out who should pass the
filter to accomplish what Jeremy is looking for? Or is this why
you shouldn’t assign separate queues for clients? :wink:

Cheers,
– jra

Jay R. Ashworth
jra@baylink.com
Designer Baylink RFC
2100
Ashworth & Associates The Things I Think '87
e24
St Petersburg FL USA http://baylink.pitas.com +1 727 647
1274

“NPR has a lot in common with Nascar… we both turn to the left.”

  • Peter Sagal, on Wait Wait, Don’t Tell Me!

The rt-users Archives

Be sure to check out the RT Wiki at http://wiki.bestpractical.com

Buy your copy of our new book, RT Essentials, today!

Download a free sample chapter from http://rtbook.bestpractical.com

10

That is my issue, thank you for describing it in better RT terms :slight_smile: I
understand that separate customer queues is not how this system was designed
but my issue, and please let me know if there is a good way to solve this,
is that there are multiple customers contacts per customer and the customer
wants to see all open tickets. And, they want separate user IDs…

What you want, like me and several other people, is for for RT to
understand inherently about “Customers”, I suspect. You can use groups
for that, though you have to be more than usually careful about
rights (you can’t assign much of anything at all to “privileged” users,
if you have groups that need to be effectively invisible to one
another – you have to set up a separate group for your “internal”
people and give the rights to that instead).

As a short term “fix”, I did edit the /Elements/Tabs so that only people
with certain rights will have access to that link. I think this is a decent
solution since most users will not need that report functionality. What I
will most likely do is create some canned reports for them and possibly
create a new tab for reporting.

I’ve been thinking that a bit more reporting flexibility builtin might
be nice; the three things I need are single-level break and subtotal,
grand total (mostly for time worked) and the ability to report on
transactions rather than tickets.

Alas, my perl hacking isn’t up to the task…

Cheers,
– jra
Jay R. Ashworth jra@baylink.com
Designer Baylink RFC 2100
Ashworth & Associates The Things I Think '87 e24
St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274

"NPR has a lot in common with Nascar... we both turn to the left."
	- Peter Sagal, on Wait Wait, Don't Tell Me!