Questions about crontool user setup

Hi list,
I’m looking into email alerts for untouched tickets, and I thought of the
crontool right away. In reading its Wiki page, I’m a little confused about
setting up the user to run it. RT 4.4.1, Debian 8. Link I’ve been reading:
https://rt-wiki.bestpractical.com/wiki/UseRtCrontool

The page says to make an RT user and a Unix user. If the tool runs on the
server, though, where does the RT user come into it? If I do need both a
Unix and RT user, what do I enter into RT as the user’s Unix login value?
Can I just make my RT user part of the admin group, or should I only
grant it the two rights the Wiki page mentions (view/modify tickets in all
queues)? That is, do I need to grant specific user rights, because of
security concerns surrounding making this user a full admin, or can I just
make it an admin? Thanks for any explanations.
Alex Hall
Automatic Distributors, IT department
ahall@autodist.com

Hi list,
I’m looking into email alerts for untouched tickets, and I thought of the
crontool right away. In reading its Wiki page, I’m a little confused about
setting up the user to run it. RT 4.4.1, Debian 8. Link I’ve been reading:
https://rt-wiki.bestpractical.com/wiki/UseRtCrontool

The page says to make an RT user and a Unix user.

Correct.

If the tool runs on the

server, though, where does the RT user come into it?

The RT is pertinent because while the shell account can execute
programs on the system, the RT database only knows of users that exist
in the database.

Thus, the crontool user (shell account) will change the status, or
comment, or correspond, or make any other txn, the RT system needs an
"actor" for that txn. So, you need to link the system (shell) account
and the RT (database) account.

If I do need both a

Unix and RT user, what do I enter into RT as the user’s Unix login value?

We have an RT user named: rtcrontool. We also have a system (shell)
account with the same name.

In the modify page for the user, there is a “Unix login” field. Enter
your system (shell) account name there. It happens to be the same in
our situation, but it need not be.

Can I just make my RT user part of the admin group, or should I only grant
it the two rights the Wiki page mentions (view/modify tickets in all
queues)?

We do not give the rtcrontool user admin rights.

Our rtcrontool user has the following rights:

comment on tickets
reply to tickets
view custom field values
view queue
view ticket summaries
modify custom field values
modify tickets
view scrip templates

It has been many years since we installed RT and our rtcrontool user
does many different things. That said, I’m not sure if all the above
rights are needed/correct for our environment.

That is, do I need to grant specific user rights, because of

security concerns surrounding making this user a full admin, or can I just
make it an admin?

I would only grant what you need.

Thanks for any explanations.

-m