Refine users ticket visibility: view only OWN tickets

Hi,

We have been using RT for a few years. In our current RT setup (version 4.2.2), for every one of our customers we create a ticket queue and a user group. Then, in that user group, we grant rights for that specific queue to enable our customer users to: ‘CreateTicket’, ‘ReplyToTicket’, ‘SeeQueue’ and ‘ShowTicket’. Customer users belonging to these groups remain as unprivileged users. We have separate user groups for our own staff (staff users are privileged).
Our aim is mainly to prevent a group of customers having visibility of other customer groups tickets and, also, for easier management of scrips, etc .
Additionally - and this is important -, we rely on the REST API to provide customers with ticket lists, searches and integration with some of our services through our web portal. As an effect of that, customers never get to interact with the RT gui.

Now, what we would need to implement is a more fine visibility configuration: More concretely, SOME of our customer users (‘restricted’ users) should ONLY be able to see those tickets in which they have the roles ‘cc’ or ‘requestor’.
And at the same time, when they perform a search through the REST API, only the tickets for which they are requestor or cc should be returned (this one is important).

To do so, my approach was:
While now we create one single group for every queue, create two groups instead: one with restricted rights and another with the rights we have been usually granting the users with.
The ‘restricted’ user group would have no ‘ShowTicket’ right; as a result, their searches would return empty. But, that combined with having the right ‘ShowTicket’ granted to the requestor and cc roles, I guessed that would enable users to see the tickets for which they are requestor/cc, and get ONLY these tickets returned on their searches through REST API.

The problem is that, although I have tried quite a few tweaks around this on devel env (configuring customer users as privileged, for instance), I cannot get this behavior to work.
The result is that, if I grant ‘ShowTicket’ right to the ‘restricted’ user group, they see ALL the tickets in the queue; if I don’t, they see none (same goes for ticket search results). For some reason, its like its ignoring the rights I had expected to be granted to the user via the roles ‘requestor’ and ‘cc’ (as I already mentioned, these roles DO have ‘ShowTicket’ right).
Indeed, I really feel to be missing something here.

In the mean time, I have also started to explore the possibility of having to add a custom right for this behavior. So following the info I found at the RT wiki, I have already defined a ‘SeeOwnTickets’ right in the Queue_Local.pm file.
But in the scenario of having to solve this via this solution, I would really appreciate some guidance on in which parts of RT code should I add the auth for this (considering our users only interact via the REST API).

I have already spent some time working on this; any help/guidance would be certainly appreciated.

Thanks in advance,
Oriol Soriano.
PS: Yes, I have read http://requesttracker.wikia.com/wiki/Rights and other areas of the wiki about this topic
PS2: I have also searched for this on the user list. Although I did find some answers and tried a few suggestions, I was not able to fully get my desired config to work.

I did some progress; let’s see if that rings a bell:

Granting the right ‘ShowTicket’ globally to the role requestor, got me to the behavior I was looking for (But… thats not the solution I want)

More exactly:

Having Global requestor role WITH ‘ShowTicket’, Queue specific requestor role WITH ‘ShowTicket’ & Queue specific user group ‘restricted’ WITHOUT ‘ShowTicket’, would result in the user only being able to see those tickets for which he is requestor; similarly, only those tickets would be returned in a REST API search.

But, as I already said, having Global requestor role WITHOUT ‘ShowTicket’, Queue specific requestor role WITH ‘ShowTicket’ & Queue specific user group ‘restricted’ WITHOUT ‘ShowTicket’, would result in the user not being able to see any ticket in the queue; not even those for which he is requestor.

So, considering the following “right layers” in this case:

  1. Global rights

  2. Queue role rights

  3. Queue user group rights

Is the queue specific user group rights configuration overriding the same queue role rights configuration¿ IE: is the queue user group NOT having the ‘ShowTicket’ overriding the queue role having it?

If so, how could I implement this configuration Im looking for without having to grant that right globally to the requestor role? I would certainly preffer not having to do that.De: Oriol Soriano
Enviado: martes, 19 de agosto de 2014 16:46
Para: rt-users@lists.bestpractical.com
Asunto: Refine users ticket visibility: view only OWN tickets

Hi,

We have been using RT for a few years. In our current RT setup (version 4.2.2), for every one of our customers we create a ticket queue and a user group. Then, in that user group, we grant rights for that specific queue to enable our customer users to: ‘CreateTicket’, ‘ReplyToTicket’, ‘SeeQueue’ and ‘ShowTicket’. Customer users belonging to these groups remain as unprivileged users. We have separate user groups for our own staff (staff users are privileged).
Our aim is mainly to prevent a group of customers having visibility of other customer groups tickets and, also, for easier management of scrips, etc .
Additionally – and this is important -, we rely on the REST API to provide customers with ticket lists, searches and integration with some of our services through our web portal. As an effect of that, customers never get to interact with the RT gui.

Now, what we would need to implement is a more fine visibility configuration: More concretely, SOME of our customer users (‘restricted’ users) should ONLY be able to see those tickets in which they have the roles ‘cc’ or ‘requestor’.
And at the same time, when they perform a search through the REST API, only the tickets for which they are requestor or cc should be returned (this one is important).

To do so, my approach was:
While now we create one single group for every queue, create two groups instead: one with restricted rights and another with the rights we have been usually granting the users with.
The ‘restricted’ user group would have no ‘ShowTicket’ right; as a result, their searches would return empty. But, that combined with having the right ‘ShowTicket’ granted to the requestor and cc roles, I guessed that would enable users to see the tickets for which they are requestor/cc, and get ONLY these tickets returned on their searches through REST API.

The problem is that, although I have tried quite a few tweaks around this on devel env (configuring customer users as privileged, for instance), I cannot get this behavior to work.
The result is that, if I grant ‘ShowTicket’ right to the ‘restricted’ user group, they see ALL the tickets in the queue; if I don’t, they see none (same goes for ticket search results). For some reason, its like its ignoring the rights I had expected to be granted to the user via the roles ‘requestor’ and ‘cc’ (as I already mentioned, these roles DO have ‘ShowTicket’ right).
Indeed, I really feel to be missing something here.

In the mean time, I have also started to explore the possibility of having to add a custom right for this behavior. So following the info I found at the RT wiki, I have already defined a ‘SeeOwnTickets’ right in the Queue_Local.pm file.
But in the scenario of having to solve this via this solution, I would really appreciate some guidance on in which parts of RT code should I add the auth for this (considering our users only interact via the REST API).

I have already spent some time working on this; any help/guidance would be certainly appreciated.

Thanks in advance,
Oriol Soriano.
PS: Yes, I have read http://requesttracker.wikia.com/wiki/Rights and other areas of the wiki about this topic
PS2: I have also searched for this on the user list. Although I did find some answers and tried a few suggestions, I was not able to fully get my desired config to work.

Having Global requestor role WITH ‘ShowTicket’, Queue specific requestor role
WITH ‘ShowTicket’ & Queue specific user group ‘restricted’ WITHOUT
’ShowTicket’, would result in the user only being able to see those tickets for
which he is requestor; similarly, only those tickets would be returned in a
REST API search.

But, as I already said, having Global requestor role WITHOUT ‘ShowTicket’,
Queue specific requestor role WITH ‘ShowTicket’ & Queue specific user group
’restricted’ WITHOUT ‘ShowTicket’, would result in the user not being able to
see any ticket in the queue; not even those for which he is requestor.

So, considering the following “right layers” in this case:

  1. Global rights

  2. Queue role rights

  3. Queue user group rights

Is the queue specific user group rights configuration overriding the same queue
role rights configuration¿ IE: is the queue user group NOT having the
’ShowTicket’ overriding the queue role having it?

If so, how could I implement this configuration Im looking for without having
to grant that right globally to the requestor role? I would certainly preffer
not having to do that.

I did the following.

Create a user named Foo who is unprivileged
Create a queue named Test
Grant Requestor ShowTicket from the Test Queue’s Group Rights page

Create a ticket in General with Foo as the Requestor
Create a ticket in Test with Foo as the Requestor

Log in as Foo
Get the SelfService UI
See on the ticket in Test with Foo as a Requestor

No other rights were configured other than the rights granted as part
of a base RT install.

This was on 4.2-trunk, which is 4.2.6 plus patches intended for 4.2.7,
however I am not aware of anything that would impact this since 4.2.2.

-kevin