Hello,
I’ve a question/request about RT that I have been neither able to
resolve from myself, nor have I found it at the RT wiki or googling this
mailing list.
I’m newbie using RT. I’m installing an organizational RT (ver. 3.8.2).
We have some departments that are autonomous of each other. Thus, I want
to grant some privileges for every admin group of each department. I
want to allow them to handle their own queues, groups, etc. But I also
want not to allow them to modify others space. I have achieved this
configuration, i.e. admins are only able to see their groups, admins can
see all queues but they are only allowed to modify some properties (Cc,
AdminCc,…) of their own queues but not other queues. In order to do
that I have granted them the global right “ShowConfigTab”. Otherwise
they had rights but they couldn’t use them (they couldn’t modify group
membership of their groups,…).
The problem I’m suffering is this: When I grant the “ShowConfigTab”
right to a user or group, I’m also granting privileges to modify the
global RT at a glance. Let me show an example: Let me create a user foo
who can be granted rights (“Let this user be granted rights” is
checked). This new user isn’t a member of any group, so he has no right
rather than “Everyone” and “Privileged”. At this moment, global rights
for these groups are the default (no global right for “Everyone”, and
only “ShowApprovalsTab” for “Privileged”). In some queues “Everyone” has
two rights “CreateTicket” and “SeeQueue”, but as far as I know they only
grant privileges for creating a new ticket in these queues. Let this
user be granted the global “ShowConfigTab” right ( “Configuration” →
“Global” → “User Rights”, and there foo is granted to “ShowConfigTab”).
Now let foo log in. This user can see the configuration tab, but he
can’t modify anything since he is not allowed to. If he tries to modify
anything RT won’t allow it and foo will read a permission denied
message. But if foo goes to “Configuration” → “Global” → “RT at a
glance” and there he deletes “QuickCreate”, RT allows it saying “Global
portlet body saved.”. Now let the privileged user bar log in. The RT at
a glance of bar has no longer the “QuickCreate” frame when it previously
had it. Hence, I don’t want to grant foo the right of modifying the
global RT at a glance!
Is it the expected behaviour? Am I missing anything or doing something
wrong?
Thank you,
Carlos
| __ __ | Carlos Garc�a Montoro Ingeniero Inform�tico
|_Y/| Instituto de F�sica Corpuscular Centro Mixto CSIC - UV
|_] [/| Servicios Inform�ticos
| [] | Edificio Institutos de Investigaci�n cgarcia@ific.uv.es
|C S I C| Apartado de Correos 22085 E-46071 Valencia Tel: +34 963543706
|______| Espa�a / Spain Fax: +34 963543488
cgarcia.vcf (441 Bytes)
Sorry for posting this twice, but I’m trying to make it shorter.
Please, can anyone confirm me that a user who only has the global right
“ShowConfigTab” is able to modify the global RT at a glance?
I’m using RT 3.8.2 and I would like to know if either I’m doing
something wrong or this is the expected behaviour. If this were the
second case, should this be considered a bug?
For a longer explanation, attached you can find my previous message.
Thanking you in advance,
Carlos
| __ __ | Carlos Garc�a Montoro Ingeniero Inform�tico
|_Y/| Instituto de F�sica Corpuscular Centro Mixto CSIC - UV
|_] [/| Servicios Inform�ticos
| [] | Edificio Institutos de Investigaci�n cgarcia@ific.uv.es
|C S I C| Apartado de Correos 22085 E-46071 Valencia Tel: +34 963543706
|______| Espa�a / Spain Fax: +34 963543488
[rt-users] Rights issue on Configuration → Global → RT at a glance on RT 3.8.2 (6.45 KB)
cgarcia.vcf (441 Bytes)
Carlos,
I may be mistaken, butI think the "ShowConfigTab" merely allows the
user to see that tab and the functions under it. The user still needs to
have other rights (like “ShowTemplate” and “ModifyTemplate”) in order to
see/modify templates and I’m sure the same situation exists for other
objects to be modified.
Kenn
LBNLOn 6/4/2009 2:54 AM, Carlos Garcia Montoro wrote:
Sorry for posting this twice, but I’m trying to make it shorter.
Please, can anyone confirm me that a user who only has the global
right “ShowConfigTab” is able to modify the global RT at a glance?
I’m using RT 3.8.2 and I would like to know if either I’m doing
something wrong or this is the expected behaviour. If this were the
second case, should this be considered a bug?
For a longer explanation, attached you can find my previous message.
Thanking you in advance,
Carlos
Subject:
[rt-users] Rights issue on Configuration → Global → RT at a glance
on RT 3.8.2
From:
Carlos Garcia Montoro cgarcia@ific.uv.es
Date:
Fri, 29 May 2009 12:18:06 +0200
To:
rt-users@lists.bestpractical.com
To:
rt-users@lists.bestpractical.com
Hello,
I’ve a question/request about RT that I have been neither able to
resolve from myself, nor have I found it at the RT wiki or googling
this mailing list.
I’m newbie using RT. I’m installing an organizational RT (ver. 3.8.2).
We have some departments that are autonomous of each other. Thus, I
want to grant some privileges for every admin group of each
department. I want to allow them to handle their own queues, groups,
etc. But I also want not to allow them to modify others space. I have
achieved this configuration, i.e. admins are only able to see their
groups, admins can see all queues but they are only allowed to modify
some properties (Cc, AdminCc,…) of their own queues but not other
queues. In order to do that I have granted them the global right
“ShowConfigTab”. Otherwise they had rights but they couldn’t use them
(they couldn’t modify group membership of their groups,…).
The problem I’m suffering is this: When I grant the “ShowConfigTab”
right to a user or group, I’m also granting privileges to modify the
global RT at a glance. Let me show an example: Let me create a user
foo who can be granted rights (“Let this user be granted rights” is
checked). This new user isn’t a member of any group, so he has no
right rather than “Everyone” and “Privileged”. At this moment, global
rights for these groups are the default (no global right for
“Everyone”, and only “ShowApprovalsTab” for “Privileged”). In some
queues “Everyone” has two rights “CreateTicket” and “SeeQueue”, but as
far as I know they only grant privileges for creating a new ticket in
these queues. Let this user be granted the global “ShowConfigTab”
right ( “Configuration” → “Global” → “User Rights”, and there foo is
granted to “ShowConfigTab”). Now let foo log in. This user can see the
configuration tab, but he can’t modify anything since he is not
allowed to. If he tries to modify anything RT won’t allow it and foo
will read a permission denied message. But if foo goes to
“Configuration” → “Global” → “RT at a glance” and there he deletes
“QuickCreate”, RT allows it saying “Global portlet body saved.”. Now
let the privileged user bar log in. The RT at a glance of bar has no
longer the “QuickCreate” frame when it previously had it. Hence, I
don’t want to grant foo the right of modifying the global RT at a glance!
Is it the expected behaviour? Am I missing anything or doing something
wrong?
Thank you,
Carlos
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
Hi Kenn, hi everybody,
Thank you for your answer. I was expecting the same behaviour as you.
But for my unpleasant surprise, a user who only has
- “ShowConfigTab” global right for himself.
- “ShowAprovalsTab” global right for Privileged users. And
- “CreateTicket” and “SeeQueue” in some queues as Everyone’s rights in
those queues.
can do nothing harmful with the single exception of modifying the global
RT at a glance.
This behaviour has surprised me probably as much as you. Because of it,
I want that someone else checks this configuration in order to see
whether it is my fault (I am doing something wrong) or it is a RT bug
(this happens to everybody, but it shouldn’t).
Greetings,
Carlos
PS: I found somewhere a RT installation for testing purposes, but users
grants, including root, where so restricted, that I couldn’t
reproduce the configuration I wanted.
Ken Crocker wrote:
Carlos,
I may be mistaken, butI think the "ShowConfigTab" merely allows the
user to see that tab and the functions under it. The user still needs to
have other rights (like “ShowTemplate” and “ModifyTemplate”) in order to
see/modify templates and I’m sure the same situation exists for other
objects to be modified.
Kenn
LBNL
Sorry for posting this twice, but I’m trying to make it shorter.
Please, can anyone confirm me that a user who only has the global
right “ShowConfigTab” is able to modify the global RT at a glance?
I’m using RT 3.8.2 and I would like to know if either I’m doing
something wrong or this is the expected behaviour. If this were the
second case, should this be considered a bug?
For a longer explanation, attached you can find my previous message.
Thanking you in advance,
Carlos
Subject:
[rt-users] Rights issue on Configuration → Global → RT at a glance
on RT 3.8.2
From:
Carlos Garcia Montoro cgarcia@ific.uv.es
Date:
Fri, 29 May 2009 12:18:06 +0200
To:
rt-users@lists.bestpractical.com
To:
rt-users@lists.bestpractical.com
Hello,
I’ve a question/request about RT that I have been neither able to
resolve from myself, nor have I found it at the RT wiki or googling
this mailing list.
I’m newbie using RT. I’m installing an organizational RT (ver. 3.8.2).
We have some departments that are autonomous of each other. Thus, I
want to grant some privileges for every admin group of each
department. I want to allow them to handle their own queues, groups,
etc. But I also want not to allow them to modify others space. I have
achieved this configuration, i.e. admins are only able to see their
groups, admins can see all queues but they are only allowed to modify
some properties (Cc, AdminCc,…) of their own queues but not other
queues. In order to do that I have granted them the global right
“ShowConfigTab”. Otherwise they had rights but they couldn’t use them
(they couldn’t modify group membership of their groups,…).
The problem I’m suffering is this: When I grant the “ShowConfigTab”
right to a user or group, I’m also granting privileges to modify the
global RT at a glance. Let me show an example: Let me create a user
foo who can be granted rights (“Let this user be granted rights” is
checked). This new user isn’t a member of any group, so he has no
right rather than “Everyone” and “Privileged”. At this moment, global
rights for these groups are the default (no global right for
“Everyone”, and only “ShowApprovalsTab” for “Privileged”). In some
queues “Everyone” has two rights “CreateTicket” and “SeeQueue”, but as
far as I know they only grant privileges for creating a new ticket in
these queues. Let this user be granted the global “ShowConfigTab”
right ( “Configuration” → “Global” → “User Rights”, and there foo is
granted to “ShowConfigTab”). Now let foo log in. This user can see the
configuration tab, but he can’t modify anything since he is not
allowed to. If he tries to modify anything RT won’t allow it and foo
will read a permission denied message. But if foo goes to
“Configuration” → “Global” → “RT at a glance” and there he deletes
“QuickCreate”, RT allows it saying “Global portlet body saved.”. Now
let the privileged user bar log in. The RT at a glance of bar has no
longer the “QuickCreate” frame when it previously had it. Hence, I
don’t want to grant foo the right of modifying the global RT at a glance!
Is it the expected behaviour? Am I missing anything or doing something
wrong?
Thank you,
Carlos
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
| __ __ | Carlos Garc�a Montoro Ingeniero Inform�tico
|_Y/| Instituto de F�sica Corpuscular Centro Mixto CSIC - UV
|_] [/| Servicios Inform�ticos
| [] | Edificio Institutos de Investigaci�n cgarcia@ific.uv.es
|C S I C| Apartado de Correos 22085 E-46071 Valencia Tel: +34 963543706
|______| Espa�a / Spain Fax: +34 963543488
cgarcia.vcf (441 Bytes)
Are you sure it’s the global RT At a Glance? It seems everyone can
modify it for themselves…On Jun 5, 2009, at 12:55 AM, Carlos Garcia Montoro wrote:
Hi Kenn, hi everybody,
Thank you for your answer. I was expecting the same behaviour as
you. But for my unpleasant surprise, a user who only has
- “ShowConfigTab” global right for himself.
- “ShowAprovalsTab” global right for Privileged users. And
- “CreateTicket” and “SeeQueue” in some queues as Everyone’s rights
in those queues.
can do nothing harmful with the single exception of modifying the
global RT at a glance.
This behaviour has surprised me probably as much as you. Because of
it, I want that someone else checks this configuration in order to
see whether it is my fault (I am doing something wrong) or it is a
RT bug (this happens to everybody, but it shouldn’t).
Greetings,
Carlos
PS: I found somewhere a RT installation for testing purposes, but
users grants, including root, where so restricted, that I couldn’t
reproduce the configuration I wanted.
Ken Crocker wrote:
Carlos,
I may be mistaken, butI think the “ShowConfigTab” merely allows
the user to see that tab and the functions under it. The user still
needs to have other rights (like “ShowTemplate” and
“ModifyTemplate”) in order to see/modify templates and I’m sure the
same situation exists for other objects to be modified.
Kenn
LBNL
On 6/4/2009 2:54 AM, Carlos Garcia Montoro wrote:
Sorry for posting this twice, but I’m trying to make it shorter.
Please, can anyone confirm me that a user who only has the global
right “ShowConfigTab” is able to modify the global RT at a glance?
I’m using RT 3.8.2 and I would like to know if either I’m doing
something wrong or this is the expected behaviour. If this were
the second case, should this be considered a bug?
For a longer explanation, attached you can find my previous message.
Thanking you in advance,
Carlos
Subject:
[rt-users] Rights issue on Configuration → Global → RT at a
glance on RT 3.8.2
From:
Carlos Garcia Montoro cgarcia@ific.uv.es
Date:
Fri, 29 May 2009 12:18:06 +0200
To:
rt-users@lists.bestpractical.com
To:
rt-users@lists.bestpractical.com
Hello,
I’ve a question/request about RT that I have been neither able to
resolve from myself, nor have I found it at the RT wiki or
googling this mailing list.
I’m newbie using RT. I’m installing an organizational RT (ver.
3.8.2). We have some departments that are autonomous of each
other. Thus, I want to grant some privileges for every admin group
of each department. I want to allow them to handle their own
queues, groups, etc. But I also want not to allow them to modify
others space. I have achieved this configuration, i.e. admins are
only able to see their groups, admins can see all queues but they
are only allowed to modify some properties (Cc, AdminCc,…) of
their own queues but not other queues. In order to do that I have
granted them the global right “ShowConfigTab”. Otherwise they had
rights but they couldn’t use them (they couldn’t modify group
membership of their groups,…).
The problem I’m suffering is this: When I grant the
“ShowConfigTab” right to a user or group, I’m also granting
privileges to modify the global RT at a glance. Let me show an
example: Let me create a user foo who can be granted rights (“Let
this user be granted rights” is checked). This new user isn’t a
member of any group, so he has no right rather than “Everyone” and
“Privileged”. At this moment, global rights for these groups are
the default (no global right for “Everyone”, and only
“ShowApprovalsTab” for “Privileged”). In some queues “Everyone”
has two rights “CreateTicket” and “SeeQueue”, but as far as I know
they only grant privileges for creating a new ticket in these
queues. Let this user be granted the global “ShowConfigTab” right
( “Configuration” → “Global” → “User Rights”, and there foo is
granted to “ShowConfigTab”). Now let foo log in. This user can see
the configuration tab, but he can’t modify anything since he is
not allowed to. If he tries to modify anything RT won’t allow it
and foo will read a permission denied message. But if foo goes to
“Configuration” → “Global” → “RT at a glance” and there he
deletes “QuickCreate”, RT allows it saying “Global portlet body
saved.”. Now let the privileged user bar log in. The RT at a
glance of bar has no longer the “QuickCreate” frame when it
previously had it. Hence, I don’t want to grant foo the right of
modifying the global RT at a glance!
Is it the expected behaviour? Am I missing anything or doing
something wrong?
Thank you,
Carlos
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly
Media. Buy a copy at http://rtbook.bestpractical.com
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly
Media. Buy a copy at http://rtbook.bestpractical.com
–
| __ __ | Carlos García Montoro Ingeniero
Informático
|_Y/_| Instituto de Física Corpuscular Centro Mixto CSIC
- UV
|_] [/| Servicios Informáticos
| [] | Edificio Institutos de Investigación cgarcia@ific.uv.es
|C S I C| Apartado de Correos 22085 E-46071 Valencia Tel: +34
963543706
|_______| España / Spain Fax: +34
963543488
<cgarcia.vcf>_______________________________________________
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
Yes. Everyone who is allowed to “ShowConfigTab” can modify the global RT
at a glance, modifying other’s homepage. I find it ugly…
Carlos
Jo Rhett wrote:
Are you sure it’s the global RT At a Glance? It seems everyone can
modify it for themselves…
Hi Kenn, hi everybody,
Thank you for your answer. I was expecting the same behaviour as you.
But for my unpleasant surprise, a user who only has
- “ShowConfigTab” global right for himself.
- “ShowAprovalsTab” global right for Privileged users. And
- “CreateTicket” and “SeeQueue” in some queues as Everyone’s rights in
those queues.
can do nothing harmful with the single exception of modifying the
global RT at a glance.
This behaviour has surprised me probably as much as you. Because of
it, I want that someone else checks this configuration in order to see
whether it is my fault (I am doing something wrong) or it is a RT bug
(this happens to everybody, but it shouldn’t).
Greetings,
Carlos
PS: I found somewhere a RT installation for testing purposes, but
users grants, including root, where so restricted, that I couldn’t
reproduce the configuration I wanted.
Ken Crocker wrote:
Carlos,
I may be mistaken, butI think the “ShowConfigTab” merely allows
the user to see that tab and the functions under it. The user still
needs to have other rights (like “ShowTemplate” and “ModifyTemplate”)
in order to see/modify templates and I’m sure the same situation
exists for other objects to be modified.
Kenn
LBNL
Sorry for posting this twice, but I’m trying to make it shorter.
Please, can anyone confirm me that a user who only has the global
right “ShowConfigTab” is able to modify the global RT at a glance?
I’m using RT 3.8.2 and I would like to know if either I’m doing
something wrong or this is the expected behaviour. If this were the
second case, should this be considered a bug?
For a longer explanation, attached you can find my previous message.
Thanking you in advance,
Carlos
Subject:
[rt-users] Rights issue on Configuration → Global → RT at a glance
on RT 3.8.2
From:
Carlos Garcia Montoro cgarcia@ific.uv.es
Date:
Fri, 29 May 2009 12:18:06 +0200
To:
rt-users@lists.bestpractical.com
To:
rt-users@lists.bestpractical.com
Hello,
I’ve a question/request about RT that I have been neither able to
resolve from myself, nor have I found it at the RT wiki or googling
this mailing list.
I’m newbie using RT. I’m installing an organizational RT (ver.
3.8.2). We have some departments that are autonomous of each other.
Thus, I want to grant some privileges for every admin group of each
department. I want to allow them to handle their own queues, groups,
etc. But I also want not to allow them to modify others space. I
have achieved this configuration, i.e. admins are only able to see
their groups, admins can see all queues but they are only allowed to
modify some properties (Cc, AdminCc,…) of their own queues but
not other queues. In order to do that I have granted them the global
right “ShowConfigTab”. Otherwise they had rights but they couldn’t
use them (they couldn’t modify group membership of their groups,…).
The problem I’m suffering is this: When I grant the “ShowConfigTab”
right to a user or group, I’m also granting privileges to modify the
global RT at a glance. Let me show an example: Let me create a user
foo who can be granted rights (“Let this user be granted rights” is
checked). This new user isn’t a member of any group, so he has no
right rather than “Everyone” and “Privileged”. At this moment,
global rights for these groups are the default (no global right for
“Everyone”, and only “ShowApprovalsTab” for “Privileged”). In some
queues “Everyone” has two rights “CreateTicket” and “SeeQueue”, but
as far as I know they only grant privileges for creating a new
ticket in these queues. Let this user be granted the global
“ShowConfigTab” right ( “Configuration” → “Global” → “User
Rights”, and there foo is granted to “ShowConfigTab”). Now let foo
log in. This user can see the configuration tab, but he can’t modify
anything since he is not allowed to. If he tries to modify anything
RT won’t allow it and foo will read a permission denied message. But
if foo goes to “Configuration” → “Global” → “RT at a glance” and
there he deletes “QuickCreate”, RT allows it saying “Global portlet
body saved.”. Now let the privileged user bar log in. The RT at a
glance of bar has no longer the “QuickCreate” frame when it
previously had it. Hence, I don’t want to grant foo the right of
modifying the global RT at a glance!
Is it the expected behaviour? Am I missing anything or doing
something wrong?
Thank you,
Carlos
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
–_______ _______________________________________________________________
| __ __ | Carlos Garc�a Montoro Ingeniero Inform�tico
|_Y/| Instituto de F�sica Corpuscular Centro Mixto CSIC - UV
|_] [/| Servicios Inform�ticos
| [] | Edificio Institutos de Investigaci�n cgarcia@ific.uv.es
|C S I C| Apartado de Correos 22085 E-46071 Valencia Tel: +34 963543706
|______| Espa�a / Spain Fax: +34 963543488
<cgarcia.vcf>_______________________________________________
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
–Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and
other randomness
| __ __ | Carlos Garc�a Montoro Ingeniero Inform�tico
|_Y/| Instituto de F�sica Corpuscular Centro Mixto CSIC - UV
|_] [/| Servicios Inform�ticos
| [] | Edificio Institutos de Investigaci�n cgarcia@ific.uv.es
|C S I C| Apartado de Correos 22085 E-46071 Valencia Tel: +34 963543706
|______| Espa�a / Spain Fax: +34 963543488
cgarcia.vcf (441 Bytes)
Carlos,
I'm with Jo on this one. We are on 3.6.4 and I have over 100 users
and the majority of them do /NOT/ have the “ShowConfigTab” right yet
they /ALL/ can modify their “RT at a Glance” settings.
Kenn
LBNLOn 6/5/2009 3:13 AM, Jo Rhett wrote:
Are you sure it’s the global RT At a Glance? It seems everyone can
modify it for themselves…
On Jun 5, 2009, at 12:55 AM, Carlos Garcia Montoro wrote:
Hi Kenn, hi everybody,
Thank you for your answer. I was expecting the same behaviour as you.
But for my unpleasant surprise, a user who only has
- “ShowConfigTab” global right for himself.
- “ShowAprovalsTab” global right for Privileged users. And
- “CreateTicket” and “SeeQueue” in some queues as Everyone’s rights
in those queues.
can do nothing harmful with the single exception of modifying the
global RT at a glance.
This behaviour has surprised me probably as much as you. Because of
it, I want that someone else checks this configuration in order to
see whether it is my fault (I am doing something wrong) or it is a RT
bug (this happens to everybody, but it shouldn’t).
Greetings,
Carlos
PS: I found somewhere a RT installation for testing purposes, but
users grants, including root, where so restricted, that I couldn’t
reproduce the configuration I wanted.
Ken Crocker wrote:
Carlos,
I may be mistaken, butI think the “ShowConfigTab” merely allows
the user to see that tab and the functions under it. The user still
needs to have other rights (like “ShowTemplate” and
“ModifyTemplate”) in order to see/modify templates and I’m sure the
same situation exists for other objects to be modified.
Kenn
LBNL
On 6/4/2009 2:54 AM, Carlos Garcia Montoro wrote:
Sorry for posting this twice, but I’m trying to make it shorter.
Please, can anyone confirm me that a user who only has the global
right “ShowConfigTab” is able to modify the global RT at a glance?
I’m using RT 3.8.2 and I would like to know if either I’m doing
something wrong or this is the expected behaviour. If this were the
second case, should this be considered a bug?
For a longer explanation, attached you can find my previous message.
Thanking you in advance,
Carlos
Subject:
[rt-users] Rights issue on Configuration → Global → RT at a
glance on RT 3.8.2
From:
Carlos Garcia Montoro cgarcia@ific.uv.es
Date:
Fri, 29 May 2009 12:18:06 +0200
To:
rt-users@lists.bestpractical.com
To:
rt-users@lists.bestpractical.com
Hello,
I’ve a question/request about RT that I have been neither able to
resolve from myself, nor have I found it at the RT wiki or googling
this mailing list.
I’m newbie using RT. I’m installing an organizational RT (ver.
3.8.2). We have some departments that are autonomous of each other.
Thus, I want to grant some privileges for every admin group of each
department. I want to allow them to handle their own queues,
groups, etc. But I also want not to allow them to modify others
space. I have achieved this configuration, i.e. admins are only
able to see their groups, admins can see all queues but they are
only allowed to modify some properties (Cc, AdminCc,…) of their
own queues but not other queues. In order to do that I have granted
them the global right “ShowConfigTab”. Otherwise they had rights
but they couldn’t use them (they couldn’t modify group membership
of their groups,…).
The problem I’m suffering is this: When I grant the “ShowConfigTab”
right to a user or group, I’m also granting privileges to modify
the global RT at a glance. Let me show an example: Let me create a
user foo who can be granted rights (“Let this user be granted
rights” is checked). This new user isn’t a member of any group, so
he has no right rather than “Everyone” and “Privileged”. At this
moment, global rights for these groups are the default (no global
right for “Everyone”, and only “ShowApprovalsTab” for
“Privileged”). In some queues “Everyone” has two rights
“CreateTicket” and “SeeQueue”, but as far as I know they only grant
privileges for creating a new ticket in these queues. Let this user
be granted the global “ShowConfigTab” right ( “Configuration” →
“Global” → “User Rights”, and there foo is granted to
“ShowConfigTab”). Now let foo log in. This user can see the
configuration tab, but he can’t modify anything since he is not
allowed to. If he tries to modify anything RT won’t allow it and
foo will read a permission denied message. But if foo goes to
“Configuration” → “Global” → “RT at a glance” and there he
deletes “QuickCreate”, RT allows it saying “Global portlet body
saved.”. Now let the privileged user bar log in. The RT at a glance
of bar has no longer the “QuickCreate” frame when it previously had
it. Hence, I don’t want to grant foo the right of modifying the
global RT at a glance!
Is it the expected behaviour? Am I missing anything or doing
something wrong?
Thank you,
Carlos
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly
Media. Buy a copy at http://rtbook.bestpractical.com
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly
Media. Buy a copy at http://rtbook.bestpractical.com
–
| __ __ | Carlos Garc�a Montoro Ingeniero Inform�tico
|_Y/| Instituto de F�sica Corpuscular Centro Mixto CSIC - UV
|_] [/| Servicios Inform�ticos
| [] | Edificio Institutos de Investigaci�n cgarcia@ific.uv.es
|C S I C| Apartado de Correos 22085 E-46071 Valencia Tel: +34 963543706
|______| Espa�a / Spain Fax: +34 963543488
<cgarcia.vcf>_______________________________________________
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
I wanted to grant “ShowConfigTab” only for a few users who are “group
directors” at my institution, but I don’t want that doing so, they can
modify the /GLOBAL/ RT at a glance, as they can do, if they have this
single right.
Jo, I’m sure that it is the global RT at a glance, because I’m following
these steps: “Configuration → Global → RT at a glance” and because if
any user who has the ShowConfigTab changes something there, you logout
and log in as another user, the RT at a glance of the second user has
changed.
Kenn, the problem is not htat they can change their own RT at a glance.
The problem is that they can change the global RT at a glance…
Perhaps I’m missing something, but at the moment, I don’t know what it is.
Thank you again,
Carlos
Ken Crocker wrote:
Carlos,
I'm with Jo on this one. We are on 3.6.4 and I have over 100 users
and the majority of them do /NOT/ have the “ShowConfigTab” right yet
they /ALL/ can modify their “RT at a Glance” settings.
Kenn
LBNL
Are you sure it’s the global RT At a Glance? It seems everyone can
modify it for themselves…
Hi Kenn, hi everybody,
Thank you for your answer. I was expecting the same behaviour as you.
But for my unpleasant surprise, a user who only has
- “ShowConfigTab” global right for himself.
- “ShowAprovalsTab” global right for Privileged users. And
- “CreateTicket” and “SeeQueue” in some queues as Everyone’s rights
in those queues.
can do nothing harmful with the single exception of modifying the
global RT at a glance.
This behaviour has surprised me probably as much as you. Because of
it, I want that someone else checks this configuration in order to
see whether it is my fault (I am doing something wrong) or it is a RT
bug (this happens to everybody, but it shouldn’t).
Greetings,
Carlos
PS: I found somewhere a RT installation for testing purposes, but
users grants, including root, where so restricted, that I couldn’t
reproduce the configuration I wanted.
Ken Crocker wrote:
Carlos,
I may be mistaken, butI think the “ShowConfigTab” merely allows
the user to see that tab and the functions under it. The user still
needs to have other rights (like “ShowTemplate” and
“ModifyTemplate”) in order to see/modify templates and I’m sure the
same situation exists for other objects to be modified.
Kenn
LBNL
Sorry for posting this twice, but I’m trying to make it shorter.
Please, can anyone confirm me that a user who only has the global
right “ShowConfigTab” is able to modify the global RT at a glance?
I’m using RT 3.8.2 and I would like to know if either I’m doing
something wrong or this is the expected behaviour. If this were the
second case, should this be considered a bug?
For a longer explanation, attached you can find my previous message.
Thanking you in advance,
Carlos
Subject:
[rt-users] Rights issue on Configuration → Global → RT at a
glance on RT 3.8.2
From:
Carlos Garcia Montoro cgarcia@ific.uv.es
Date:
Fri, 29 May 2009 12:18:06 +0200
To:
rt-users@lists.bestpractical.com
To:
rt-users@lists.bestpractical.com
Hello,
I’ve a question/request about RT that I have been neither able to
resolve from myself, nor have I found it at the RT wiki or googling
this mailing list.
I’m newbie using RT. I’m installing an organizational RT (ver.
3.8.2). We have some departments that are autonomous of each other.
Thus, I want to grant some privileges for every admin group of each
department. I want to allow them to handle their own queues,
groups, etc. But I also want not to allow them to modify others
space. I have achieved this configuration, i.e. admins are only
able to see their groups, admins can see all queues but they are
only allowed to modify some properties (Cc, AdminCc,…) of their
own queues but not other queues. In order to do that I have granted
them the global right “ShowConfigTab”. Otherwise they had rights
but they couldn’t use them (they couldn’t modify group membership
of their groups,…).
The problem I’m suffering is this: When I grant the “ShowConfigTab”
right to a user or group, I’m also granting privileges to modify
the global RT at a glance. Let me show an example: Let me create a
user foo who can be granted rights (“Let this user be granted
rights” is checked). This new user isn’t a member of any group, so
he has no right rather than “Everyone” and “Privileged”. At this
moment, global rights for these groups are the default (no global
right for “Everyone”, and only “ShowApprovalsTab” for
“Privileged”). In some queues “Everyone” has two rights
“CreateTicket” and “SeeQueue”, but as far as I know they only grant
privileges for creating a new ticket in these queues. Let this user
be granted the global “ShowConfigTab” right ( “Configuration” →
“Global” → “User Rights”, and there foo is granted to
“ShowConfigTab”). Now let foo log in. This user can see the
configuration tab, but he can’t modify anything since he is not
allowed to. If he tries to modify anything RT won’t allow it and
foo will read a permission denied message. But if foo goes to
“Configuration” → “Global” → “RT at a glance” and there he
deletes “QuickCreate”, RT allows it saying “Global portlet body
saved.”. Now let the privileged user bar log in. The RT at a glance
of bar has no longer the “QuickCreate” frame when it previously had
it. Hence, I don’t want to grant foo the right of modifying the
global RT at a glance!
Is it the expected behaviour? Am I missing anything or doing
something wrong?
Thank you,
Carlos
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly
Media. Buy a copy at http://rtbook.bestpractical.com
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly
Media. Buy a copy at http://rtbook.bestpractical.com
–
| __ __ | Carlos Garc�a Montoro Ingeniero Inform�tico
|_Y/| Instituto de F�sica Corpuscular Centro Mixto CSIC - UV
|_] [/| Servicios Inform�ticos
| [] | Edificio Institutos de Investigaci�n cgarcia@ific.uv.es
|C S I C| Apartado de Correos 22085 E-46071 Valencia Tel: +34 963543706
|______| Espa�a / Spain Fax: +34 963543488
<cgarcia.vcf>_______________________________________________
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
| __ __ | Carlos Garc�a Montoro Ingeniero Inform�tico
|_Y/| Instituto de F�sica Corpuscular Centro Mixto CSIC - UV
|_] [/| Servicios Inform�ticos
| [] | Edificio Institutos de Investigaci�n cgarcia@ific.uv.es
|C S I C| Apartado de Correos 22085 E-46071 Valencia Tel: +34 963543706
|______| Espa�a / Spain Fax: +34 963543488
cgarcia.vcf (441 Bytes)
Jo and Kenn,
Thank you for your comments about this issue. In the end it was a bug of
RT. Fortunately, I created a ticket on http://rt3.fsck.com/ and the
people from Best Practical (I think that they were Kevin Falcone and
Jesse Vincent) put their hands on it immediately and they have just
solved this /security bug/.
This is part of the message posted by Kevin Falcone:
The most important fix is that RT now requires the SuperUser
right to edit global RT at a Glance. In all previous 3.8
releases, the “ShowConfigTab” right unintentionally enabled this.
If you have not granted this right to any non-administrative user,
then this issue should not affect you.
You can read the whole in the message “RT 3.8.4 Released” written by
Kevin. So, you probably should consider either to patch your current
installation or to upgrade it.
Kenn, Jo, thank you again for your help and comments, and thanks to the
people of bestpractical.
Best wishes,
Carlos
Ken Crocker wrote:
Carlos,
I'm with Jo on this one. We are on 3.6.4 and I have over 100 users
and the majority of them do /NOT/ have the “ShowConfigTab” right yet
they /ALL/ can modify their “RT at a Glance” settings.
Kenn
LBNL
Are you sure it’s the global RT At a Glance? It seems everyone can
modify it for themselves…
Hi Kenn, hi everybody,
Thank you for your answer. I was expecting the same behaviour as you.
But for my unpleasant surprise, a user who only has
- “ShowConfigTab” global right for himself.
- “ShowAprovalsTab” global right for Privileged users. And
- “CreateTicket” and “SeeQueue” in some queues as Everyone’s rights
in those queues.
can do nothing harmful with the single exception of modifying the
global RT at a glance.
This behaviour has surprised me probably as much as you. Because of
it, I want that someone else checks this configuration in order to
see whether it is my fault (I am doing something wrong) or it is a RT
bug (this happens to everybody, but it shouldn’t).
Greetings,
Carlos
PS: I found somewhere a RT installation for testing purposes, but
users grants, including root, where so restricted, that I couldn’t
reproduce the configuration I wanted.
Ken Crocker wrote:
Carlos,
I may be mistaken, butI think the “ShowConfigTab” merely allows
the user to see that tab and the functions under it. The user still
needs to have other rights (like “ShowTemplate” and
“ModifyTemplate”) in order to see/modify templates and I’m sure the
same situation exists for other objects to be modified.
Kenn
LBNL
Sorry for posting this twice, but I’m trying to make it shorter.
Please, can anyone confirm me that a user who only has the global
right “ShowConfigTab” is able to modify the global RT at a glance?
I’m using RT 3.8.2 and I would like to know if either I’m doing
something wrong or this is the expected behaviour. If this were the
second case, should this be considered a bug?
For a longer explanation, attached you can find my previous message.
Thanking you in advance,
Carlos
Subject:
[rt-users] Rights issue on Configuration → Global → RT at a
glance on RT 3.8.2
From:
Carlos Garcia Montoro cgarcia@ific.uv.es
Date:
Fri, 29 May 2009 12:18:06 +0200
To:
rt-users@lists.bestpractical.com
To:
rt-users@lists.bestpractical.com
Hello,
I’ve a question/request about RT that I have been neither able to
resolve from myself, nor have I found it at the RT wiki or googling
this mailing list.
I’m newbie using RT. I’m installing an organizational RT (ver.
3.8.2). We have some departments that are autonomous of each other.
Thus, I want to grant some privileges for every admin group of each
department. I want to allow them to handle their own queues,
groups, etc. But I also want not to allow them to modify others
space. I have achieved this configuration, i.e. admins are only
able to see their groups, admins can see all queues but they are
only allowed to modify some properties (Cc, AdminCc,…) of their
own queues but not other queues. In order to do that I have granted
them the global right “ShowConfigTab”. Otherwise they had rights
but they couldn’t use them (they couldn’t modify group membership
of their groups,…).
The problem I’m suffering is this: When I grant the “ShowConfigTab”
right to a user or group, I’m also granting privileges to modify
the global RT at a glance. Let me show an example: Let me create a
user foo who can be granted rights (“Let this user be granted
rights” is checked). This new user isn’t a member of any group, so
he has no right rather than “Everyone” and “Privileged”. At this
moment, global rights for these groups are the default (no global
right for “Everyone”, and only “ShowApprovalsTab” for
“Privileged”). In some queues “Everyone” has two rights
“CreateTicket” and “SeeQueue”, but as far as I know they only grant
privileges for creating a new ticket in these queues. Let this user
be granted the global “ShowConfigTab” right ( “Configuration” →
“Global” → “User Rights”, and there foo is granted to
“ShowConfigTab”). Now let foo log in. This user can see the
configuration tab, but he can’t modify anything since he is not
allowed to. If he tries to modify anything RT won’t allow it and
foo will read a permission denied message. But if foo goes to
“Configuration” → “Global” → “RT at a glance” and there he
deletes “QuickCreate”, RT allows it saying “Global portlet body
saved.”. Now let the privileged user bar log in. The RT at a glance
of bar has no longer the “QuickCreate” frame when it previously had
it. Hence, I don’t want to grant foo the right of modifying the
global RT at a glance!
Is it the expected behaviour? Am I missing anything or doing
something wrong?
Thank you,
Carlos
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly
Media. Buy a copy at http://rtbook.bestpractical.com
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly
Media. Buy a copy at http://rtbook.bestpractical.com
–
| __ __ | Carlos Garc�a Montoro Ingeniero Inform�tico
|_Y/| Instituto de F�sica Corpuscular Centro Mixto CSIC - UV
|_] [/| Servicios Inform�ticos
| [] | Edificio Institutos de Investigaci�n cgarcia@ific.uv.es
|C S I C| Apartado de Correos 22085 E-46071 Valencia Tel: +34 963543706
|______| Espa�a / Spain Fax: +34 963543488
<cgarcia.vcf>_______________________________________________
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
| __ __ | Carlos Garc�a Montoro Ingeniero Inform�tico
|_Y/| Instituto de F�sica Corpuscular Centro Mixto CSIC - UV
|_] [/| Servicios Inform�ticos
| [] | Edificio Institutos de Investigaci�n cgarcia@ific.uv.es
|C S I C| Apartado de Correos 22085 E-46071 Valencia Tel: +34 963543706
|______| Espa�a / Spain Fax: +34 963543488
cgarcia.vcf (441 Bytes)
PS: It seems to me that Shawn Moore also worked on fixing it.
Carlos
Carlos Garcia Montoro wrote:
Jo and Kenn,
Thank you for your comments about this issue. In the end it was a bug of
RT. Fortunately, I created a ticket on http://rt3.fsck.com/ and the
people from Best Practical (I think that they were Kevin Falcone and
Jesse Vincent) put their hands on it immediately and they have just
solved this /security bug/.
This is part of the message posted by Kevin Falcone:
The most important fix is that RT now requires the SuperUser
right to edit global RT at a Glance. In all previous 3.8
releases, the “ShowConfigTab” right unintentionally enabled this.
If you have not granted this right to any non-administrative user,
then this issue should not affect you.
You can read the whole in the message “RT 3.8.4 Released” written by
Kevin. So, you probably should consider either to patch your current
installation or to upgrade it.
Kenn, Jo, thank you again for your help and comments, and thanks to the
people of bestpractical.
Best wishes,
Carlos
Ken Crocker wrote:
Carlos,
I'm with Jo on this one. We are on 3.6.4 and I have over 100 users
and the majority of them do /NOT/ have the “ShowConfigTab” right yet
they /ALL/ can modify their “RT at a Glance” settings.
Kenn
LBNL
Are you sure it’s the global RT At a Glance? It seems everyone can
modify it for themselves…
Hi Kenn, hi everybody,
Thank you for your answer. I was expecting the same behaviour as
you. But for my unpleasant surprise, a user who only has
- “ShowConfigTab” global right for himself.
- “ShowAprovalsTab” global right for Privileged users. And
- “CreateTicket” and “SeeQueue” in some queues as Everyone’s rights
in those queues.
can do nothing harmful with the single exception of modifying the
global RT at a glance.
This behaviour has surprised me probably as much as you. Because of
it, I want that someone else checks this configuration in order to
see whether it is my fault (I am doing something wrong) or it is a
RT bug (this happens to everybody, but it shouldn’t).
Greetings,
Carlos
PS: I found somewhere a RT installation for testing purposes, but
users grants, including root, where so restricted, that I couldn’t
reproduce the configuration I wanted.
Ken Crocker wrote:
Carlos,
I may be mistaken, butI think the “ShowConfigTab” merely allows
the user to see that tab and the functions under it. The user still
needs to have other rights (like “ShowTemplate” and
“ModifyTemplate”) in order to see/modify templates and I’m sure the
same situation exists for other objects to be modified.
Kenn
LBNL
Sorry for posting this twice, but I’m trying to make it shorter.
Please, can anyone confirm me that a user who only has the global
right “ShowConfigTab” is able to modify the global RT at a glance?
I’m using RT 3.8.2 and I would like to know if either I’m doing
something wrong or this is the expected behaviour. If this were
the second case, should this be considered a bug?
For a longer explanation, attached you can find my previous message.
Thanking you in advance,
Carlos
Subject:
[rt-users] Rights issue on Configuration → Global → RT at a
glance on RT 3.8.2
From:
Carlos Garcia Montoro cgarcia@ific.uv.es
Date:
Fri, 29 May 2009 12:18:06 +0200
To:
rt-users@lists.bestpractical.com
To:
rt-users@lists.bestpractical.com
Hello,
I’ve a question/request about RT that I have been neither able to
resolve from myself, nor have I found it at the RT wiki or
googling this mailing list.
I’m newbie using RT. I’m installing an organizational RT (ver.
3.8.2). We have some departments that are autonomous of each
other. Thus, I want to grant some privileges for every admin group
of each department. I want to allow them to handle their own
queues, groups, etc. But I also want not to allow them to modify
others space. I have achieved this configuration, i.e. admins are
only able to see their groups, admins can see all queues but they
are only allowed to modify some properties (Cc, AdminCc,…) of
their own queues but not other queues. In order to do that I have
granted them the global right “ShowConfigTab”. Otherwise they had
rights but they couldn’t use them (they couldn’t modify group
membership of their groups,…).
The problem I’m suffering is this: When I grant the
“ShowConfigTab” right to a user or group, I’m also granting
privileges to modify the global RT at a glance. Let me show an
example: Let me create a user foo who can be granted rights (“Let
this user be granted rights” is checked). This new user isn’t a
member of any group, so he has no right rather than “Everyone” and
“Privileged”. At this moment, global rights for these groups are
the default (no global right for “Everyone”, and only
“ShowApprovalsTab” for “Privileged”). In some queues “Everyone”
has two rights “CreateTicket” and “SeeQueue”, but as far as I know
they only grant privileges for creating a new ticket in these
queues. Let this user be granted the global “ShowConfigTab” right
( “Configuration” → “Global” → “User Rights”, and there foo is
granted to “ShowConfigTab”). Now let foo log in. This user can see
the configuration tab, but he can’t modify anything since he is
not allowed to. If he tries to modify anything RT won’t allow it
and foo will read a permission denied message. But if foo goes to
“Configuration” → “Global” → “RT at a glance” and there he
deletes “QuickCreate”, RT allows it saying “Global portlet body
saved.”. Now let the privileged user bar log in. The RT at a
glance of bar has no longer the “QuickCreate” frame when it
previously had it. Hence, I don’t want to grant foo the right of
modifying the global RT at a glance!
Is it the expected behaviour? Am I missing anything or doing
something wrong?
Thank you,
Carlos
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly
Media. Buy a copy at http://rtbook.bestpractical.com
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly
Media. Buy a copy at http://rtbook.bestpractical.com
–
| __ __ | Carlos Garc�a Montoro Ingeniero
Inform�tico
|_Y/_| Instituto de F�sica Corpuscular Centro Mixto CSIC
- UV
|_] [/| Servicios Inform�ticos
| [] | Edificio Institutos de Investigaci�n
cgarcia@ific.uv.es
|C S I C| Apartado de Correos 22085 E-46071 Valencia Tel: +34
963543706
|_______| Espa�a / Spain Fax: +34
963543488
<cgarcia.vcf>_______________________________________________
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
| __ __ | Carlos Garc�a Montoro Ingeniero Inform�tico
|_Y/| Instituto de F�sica Corpuscular Centro Mixto CSIC - UV
|_] [/| Servicios Inform�ticos
| [] | Edificio Institutos de Investigaci�n cgarcia@ific.uv.es
|C S I C| Apartado de Correos 22085 E-46071 Valencia Tel: +34 963543706
|______| Espa�a / Spain Fax: +34 963543488
cgarcia.vcf (441 Bytes)