Question regarding group rights configuration semantics

RT Users
1

(3.6.0)

Dumb, basic question, if I got it wrong I don’t understand how it’s
possible for my RT instance to be functional at all, but now I’m
worried…

If I’m in Configuration->Groups->[group name]->Group Rights, where it
says "Modify group rights for group [group name]…

am I modifying the rights that [group name] has over each listed role or
group in the comboxes?

Or am I modifying the rights that each listed role or group has over
[group name]?

For instance, if in that screen I see that the ‘EditSavedSearches’ right
under “Everyone” is granted – does that mean that [group name] can edit
the saved searches that show up for the “everyone” role? Or does it mean
that “Everyone” can edit [group name]'s saved searches?

Thanks,
	Ole

/Ole Craig
Security Engineer
Team lead, customer support

ocraig@stillsecure.com
303-381-3824 direct
303-381-3802 support
303-381-3880 fax

www.stillsecure.com

2

Ole Craig,

When you are in configuration for groups, then you are basically

setting global rights for all other groups (depending on which ones you
choose) to have over the group you selected initially for setting group
rights (boy, that IS a mouthful isn’t it). For example, if you go to
configuration->groups->GL(name of the group you are setting rights
for)->Group Rights and you grant the right to “SeeGroup” for the group
named “Budget”, then you have granted every user in the “Budget” Group
the right to see the group “GL” on their screen when looking at groups.
If you granted “AdminGroupMembership” to “Budget”, then any user in the
"Budget" group will be able to add/delete members of the “GL” group.
This will apply to ANY group listed on the “Group Rights” screen that
you grant rights to. I’m not sure I explained that in a way that is easy
to understand, but the matrix of privileges as it applie to queues,
groups, users, custom fields, etc is really complex. I hope this helped.

Kenn
LBNL

Ole Craig wrote:

3

Thanks, Kenn! That does help quite a bit.

    The wording of the screen is ambiguous enough that if you go in

with the assumption that you’re configuring this group with rights over
other objects, there’s nothing that really shouts “No, it’s the other
way 'round, stupid!”

    In poking some more, I think I did do it right when I set up my

initial groups 18 months ago – but in the intervening time I’d
forgotten. :-[

    It would be Really Nice(tm) if the rights configuration screens

had some sort of explanatory text on them.

Thanks,
	OleOn Fri, 2007-06-15 at 11:38 -0700, Kenneth Crocker wrote:

Ole Craig,

When you are in configuration for groups, then you are basically
setting global rights for all other groups (depending on which ones you
choose) to have over the group you selected initially for setting group
rights (boy, that IS a mouthful isn’t it). For example, if you go to
configuration->groups->GL(name of the group you are setting rights
for)->Group Rights and you grant the right to “SeeGroup” for the group
named “Budget”, then you have granted every user in the “Budget” Group
the right to see the group “GL” on their screen when looking at groups.
If you granted “AdminGroupMembership” to “Budget”, then any user in the
“Budget” group will be able to add/delete members of the “GL” group.
This will apply to ANY group listed on the “Group Rights” screen that
you grant rights to. I’m not sure I explained that in a way that is easy
to understand, but the matrix of privileges as it applie to queues,
groups, users, custom fields, etc is really complex. I hope this helped.

Kenn
LBNL

Ole Craig wrote:

(3.6.0)

Dumb, basic question, if I got it wrong I don’t understand how it’s
possible for my RT instance to be functional at all, but now I’m
worried…

If I’m in Configuration->Groups->[group name]->Group Rights, where it
says "Modify group rights for group [group name]…

am I modifying the rights that [group name] has over each listed role or
group in the comboxes?

Or am I modifying the rights that each listed role or group has over
[group name]?

For instance, if in that screen I see that the ‘EditSavedSearches’ right
under “Everyone” is granted – does that mean that [group name] can edit
the saved searches that show up for the “everyone” role? Or does it mean
that “Everyone” can edit [group name]'s saved searches?

Thanks,
  Ole

/Ole Craig
Security Engineer
Team lead, customer support

ocraig@stillsecure.com
303-381-3824 direct
303-381-3802 support
303-381-3880 fax

www.stillsecure.com