RT 3.4.4 , ACLs and privacy

Hi to the list,

Got some difficulties to understand on point regarding ACL’s ( yes i
read wiki and yes i bought the book : ) and maybe you will provide some
help.

RT 3.4.4 is used.

We ve got a queue queue is called ‘Issues’

Each customer ( A, B , C ) has its own login and i want theim to be able
to create and to have a look on their tickets through the web interface
. They will only see the issues they submitted to the queue and i don’t
want A to see B’s tickets, C’s tickets …

A B & C belong to a group called ‘Customers’

Lets’ call my second group ‘Staff’ composed by guys who will have to
answer tickets.

I defined the following rights for the Customers Queue :

A- System Groups / Privileged : Create ticket - Reply to ticket - See queue

B- Roles / Requestor Rights => See Queue - Show ticket - Reply to ticket

C- User Defined groups / Customers ==> See Queue - Create tickets.

D- User Defined groups / Staff ==> Comment + Create + Delete + Modify +
Own + Show MAil + Show ticket + Show ticket comments + Steal tickets +
Take tickets

Scenario :

Customer A creates a ticket viewable only by himself + staff ( normal
behaviour )

Once a staff member took the ticket to work on it, we can see ’ Owner
changed from Nobody to staff ’ in th TT history ( normal behaviour too)

Problem : Customer A does not see its ticket anymore in the inferface.
If the staff member changes the owner to ‘Nobody’, the ticket becomes
viewable again for ‘A’.

If i change User Defined groups / Customers ==> See Queue - Create
tickets to ==> See Queue + Create tickets + See Ticket, ‘A’ will see its
ticket again and others tickets too … and this becomes a problem.

Any help will be appreciated

Best Regards

Max.

Merry Christmas !

I would be willing to help, but by the time I got to yhe
bottom of your e-mail, I was as confused as you are.

Maybe if you can break it down a little better we can
get it figured out.

Also, I have developed an extension called RTx::RightsMatrix that
makes it a little easier to view and edit RT rights. It’s on
your favorite CPAN mirror.

-ToddOn Sat, Dec 03, 2005 at 07:03:20PM +0100, Maxime Levasseur wrote:

Hi to the list,

Got some difficulties to understand on point regarding ACL’s ( yes i
read wiki and yes i bought the book : ) and maybe you will provide some
help.

RT 3.4.4 is used.

We ve got a queue queue is called ‘Issues’

Each customer ( A, B , C ) has its own login and i want theim to be able
to create and to have a look on their tickets through the web interface
. They will only see the issues they submitted to the queue and i don’t
want A to see B’s tickets, C’s tickets …

A B & C belong to a group called ‘Customers’

Lets’ call my second group ‘Staff’ composed by guys who will have to
answer tickets.

I defined the following rights for the Customers Queue :

A- System Groups / Privileged : Create ticket - Reply to ticket - See queue

B- Roles / Requestor Rights => See Queue - Show ticket - Reply to ticket

C- User Defined groups / Customers ==> See Queue - Create tickets.

D- User Defined groups / Staff ==> Comment + Create + Delete + Modify +
Own + Show MAil + Show ticket + Show ticket comments + Steal tickets +
Take tickets

Scenario :

Customer A creates a ticket viewable only by himself + staff ( normal
behaviour )

Once a staff member took the ticket to work on it, we can see ’ Owner
changed from Nobody to staff ’ in th TT history ( normal behaviour too)

Problem : Customer A does not see its ticket anymore in the inferface.
If the staff member changes the owner to ‘Nobody’, the ticket becomes
viewable again for ‘A’.

If i change User Defined groups / Customers ==> See Queue - Create
tickets to ==> See Queue + Create tickets + See Ticket, ‘A’ will see its
ticket again and others tickets too … and this becomes a problem.

Any help will be appreciated

Best Regards

Max.

Merry Christmas !

---

The rt-users Archives

Be sure to check out the RT Wiki at http://wiki.bestpractical.com

Download a free sample chapter of RT Essentials from O’Reilly Media at
http://rtbook.bestpractical.com

WE’RE COMING TO YOUR TOWN SOON - RT Training in Amsterdam, Boston and
San Francisco - Find out more at
http://bestpractical.com/services/training.html

Also, I have developed an extension called RTx::RightsMatrix that
makes it a little easier to view and edit RT rights. It’s on
your favorite CPAN mirror.

In fact RTx::RightsMatrix was already installed on my box (great
tool,thx for it ).

Gonna try to explain it shortly :

Got only one queue : Issues
Got 2 groups : Tech Staff and Customers ( 3 members : A, B, C )
When A opens a ticket in the Queue ‘Issues’, i don’t want B C to see it.
Same thing for the others. Off course ‘Tech Staff’ members must see
tickets from A B C to be able to work on it.

With the ACL’s described in my last post, it works but i got a problem.

The main one is when a freshly opened ticket ( owned by nobody ) is
taken in charge by a Tech Staff Member ( at this moment it becomes
'owned by techstaff '). From the web interface, the ticket becomes
invisible from customer A ( = the requestor ). The only solution to make
it visible again is to change the owner from ‘techstaff’ to ‘nobody’

When a ticket must be keeped by the tech support during a few hours or a
couple of weeks , the customer must be able to track iton the web.

Thanks again for your help.

max.

Also, I have developed an extension called RTx::RightsMatrix that
makes it a little easier to view and edit RT rights. It’s on
your favorite CPAN mirror.

In fact RTx::RightsMatrix was already installed on my box (great
tool,thx for it ).

Gonna try to explain it shortly :

Got only one queue : Issues
Got 2 groups : Tech Staff and Customers ( 3 members : A, B, C )
When A opens a ticket in the Queue ‘Issues’, i don’t want B C to see it.
Same thing for the others. Off course ‘Tech Staff’ members must see
tickets from A B C to be able to work on it.

With the ACL’s described in my last post, it works but i got a problem.

The main one is when a freshly opened ticket ( owned by nobody ) is
taken in charge by a Tech Staff Member ( at this moment it becomes
'owned by techstaff '). From the web interface, the ticket becomes
invisible from customer A ( = the requestor ). The only solution to make
it visible again is to change the owner from ‘techstaff’ to ‘nobody’

When a ticket must be keeped by the tech support during a few hours or a
couple of weeks , the customer must be able to track iton the web.

Thanks again for your help.

Giving the requestor role the rights they need should fix that.

Giving the requestor role the rights they need should fix that.

This is my point Todd : )

Requestor role rights level is ok from my point of view : See Queue +
Show ticket + Reply to ticket are granted … and the ticket is saw by
the requestor except when is owned by anybody else

i’ m lost

Does RightsMatrix think they have the right before, but not
after?On Sat, Dec 03, 2005 at 09:13:54PM +0100, Maxime Levasseur wrote:

Giving the requestor role the rights they need should fix that.

This is my point Todd : )

Requestor role rights level is ok from my point of view : See Queue +
Show ticket + Reply to ticket are granted … and the ticket is saw by
the requestor except when is owned by anybody else

i’ m lost

Also, I have developed an extension called RTx::RightsMatrix that
makes it a little easier to view and edit RT rights. It’s on
your favorite CPAN mirror.

I just installed that…it ROCKS, ROCKS, ROCKS! Thank you for creating
this tool!

One small suggestion, if I may: During the installation, it was not clear
to me that when it asked for a “path to RT.pm”, it meant the directory
only. I was trying the full path to the file itself. Changing that prompt
might help avoid install trouble for others.

But once installed, it works a treat!

Scott

Scott Courtney | “I don’t mind Microsoft making money. I mind them
scott@4th.com | having a bad operating system.” – Linus Torvalds
http://4th.com/ | (“The Rebel Code,” NY Times, 21 February 1999)
| PGP Public Key at http://4th.com/keys/scott.pubkey

Also, I have developed an extension called RTx::RightsMatrix that
makes it a little easier to view and edit RT rights. It’s on
your favorite CPAN mirror.

I just installed that…it ROCKS, ROCKS, ROCKS! Thank you for creating
this tool!

Aw, shucks.

One small suggestion, if I may: During the installation, it was not clear
to me that when it asked for a “path to RT.pm”, it meant the directory
only. I was trying the full path to the file itself. Changing that prompt
might help avoid install trouble for others.

Let’s blame Ruslan. I stole all the installation stuff from his
awesome extension, RTx::Shredder.

But once installed, it works a treat!

Good to know. Maybe I should bump the version to 1.0. I haven’t
got any bug reports in a while.

Todd Chapman wrote:

Does RightsMatrix think they have the right before, but not
after?

Giving the requestor role the rights they need should fix that.

This is my point Todd : )

Requestor role rights level is ok from my point of view : See Queue +
Show ticket + Reply to ticket are granted … and the ticket is saw by
the requestor except when is owned by anybody else

i’ m lost

I’m a little bit less lost now but my problem isn’t solved.
My problem is here, i have this ACL for my queue :

A- System Groups / Privileged : Create ticket - Reply to ticket - See queue
B- Roles / Requestor Rights => See Queue - Show ticket - Reply to ticket
C- User Defined groups / Customers ==> See Queue - Create tickets.

Problem is rule C. If I add the ‘Show Ticket’ permission, customer A
will see tickets from cust B, cust C … and if i don’t cust A won’t see
its own tickets anymore (when they are owned by someone else … a
technical staff member for example )

If someone here use a single queue for several users without any privacy
problem, please give me the acl’s : )

max.

Todd Chapman wrote:

Does RightsMatrix think they have the right before, but not
after?

Giving the requestor role the rights they need should fix that.

This is my point Todd : )

Requestor role rights level is ok from my point of view : See Queue +
Show ticket + Reply to ticket are granted … and the ticket is saw by
the requestor except when is owned by anybody else

i’ m lost

I’m a little bit less lost now but my problem isn’t solved.
My problem is here, i have this ACL for my queue :

A- System Groups / Privileged : Create ticket - Reply to ticket - See queue
B- Roles / Requestor Rights => See Queue - Show ticket - Reply to ticket
C- User Defined groups / Customers ==> See Queue - Create tickets.

Problem is rule C. If I add the ‘Show Ticket’ permission, customer A
will see tickets from cust B, cust C … and if i don’t cust A won’t see
its own tickets anymore (when they are owned by someone else … a
technical staff member for example )

Configuration->Queues->PickYourCustomerQueue->Group Rights->
Roles->Requestor->SeeTicket

Todd Chapman wrote:

Does RightsMatrix think they have the right before, but not
after?

Giving the requestor role the rights they need should fix that.

This is my point Todd : )

Requestor role rights level is ok from my point of view : See Queue +
Show ticket + Reply to ticket are granted … and the ticket is saw by
the requestor except when is owned by anybody else

i’ m lost

I’m a little bit less lost now but my problem isn’t solved.
My problem is here, i have this ACL for my queue :

A- System Groups / Privileged : Create ticket - Reply to ticket - See queue
B- Roles / Requestor Rights => See Queue - Show ticket - Reply to ticket
C- User Defined groups / Customers ==> See Queue - Create tickets.

Problem is rule C. If I add the ‘Show Ticket’ permission, customer A
will see tickets from cust B, cust C … and if i don’t cust A won’t see
its own tickets anymore (when they are owned by someone else … a
technical staff member for example )

If someone here use a single queue for several users without any privacy
problem, please give me the acl’s : )
I’ve checked this and it works, at least user could find his tickets.
May be you mean that “Quick search” list of queues is empty?

max.

---

The rt-users Archives

Be sure to check out the RT Wiki at http://wiki.bestpractical.com

Download a free sample chapter of RT Essentials from O’Reilly Media at http://rtbook.bestpractical.com

WE’RE COMING TO YOUR TOWN SOON - RT Training in Amsterdam, Boston and
San Francisco - Find out more at http://bestpractical.com/services/training.html

Best regards, Ruslan.

I’m a little bit less lost now but my problem isn’t solved.
My problem is here, i have this ACL for my queue :

A- System Groups / Privileged : Create ticket - Reply to ticket - See queue
B- Roles / Requestor Rights => See Queue - Show ticket - Reply to ticket
C- User Defined groups / Customers ==> See Queue - Create tickets.

Problem is rule C. If I add the ‘Show Ticket’ permission, customer A
will see tickets from cust B, cust C … and if i don’t cust A won’t see
its own tickets anymore (when they are owned by someone else … a
technical staff member for example )

If someone here use a single queue for several users without any privacy
problem, please give me the acl’s : )

I’ve checked this and it works, at least user could find his tickets.
May be you mean that “Quick search” list of queues is empty?

Thanks for your time Ruslan, Todd

You’re absolutely right : user can find his tickets, and only his
tickets will appear … AND ‘Quick search’ list of queues is empty ? How
to explain it ( the requestor is allowed to ‘See queue’ ) ? How can i
change it to make my user happy by viewing his tickets in the Quick
Search list ?

Thanks again.

I’m a little bit less lost now but my problem isn’t solved.
My problem is here, i have this ACL for my queue :

A- System Groups / Privileged : Create ticket - Reply to ticket - See
queue
B- Roles / Requestor Rights => See Queue - Show ticket - Reply to ticket
C- User Defined groups / Customers ==> See Queue - Create tickets.

Problem is rule C. If I add the ‘Show Ticket’ permission, customer A
will see tickets from cust B, cust C … and if i don’t cust A won’t see
its own tickets anymore (when they are owned by someone else … a
technical staff member for example )

If someone here use a single queue for several users without any privacy
problem, please give me the acl’s : )

I’ve checked this and it works, at least user could find his tickets.
May be you mean that “Quick search” list of queues is empty?

Thanks for your time Ruslan, Todd

You’re absolutely right : user can find his tickets, and only his
tickets will appear … AND ‘Quick search’ list of queues is empty ? How
to explain it ( the requestor is allowed to ‘See queue’ ) ? How can i
change it to make my user happy by viewing his tickets in the Quick
Search list ?

Thanks again.

If you give the user SeeQueue, the number shown in Quick Search will
not be the number of his tickets, but all tickets in the queue. But
the user will not be able to see the actual tickets for the other
users. If that is OK, you need to give SeeQueue to each user specifically,
or to Unprivileged users.

-Todd

I’m a little bit less lost now but my problem isn’t solved.
My problem is here, i have this ACL for my queue :

A- System Groups / Privileged : Create ticket - Reply to ticket - See
queue
B- Roles / Requestor Rights => See Queue - Show ticket - Reply to ticket
C- User Defined groups / Customers ==> See Queue - Create tickets.

Problem is rule C. If I add the ‘Show Ticket’ permission, customer A
will see tickets from cust B, cust C … and if i don’t cust A won’t see
its own tickets anymore (when they are owned by someone else … a
technical staff member for example )

If someone here use a single queue for several users without any privacy
problem, please give me the acl’s : )

I’ve checked this and it works, at least user could find his tickets.
May be you mean that “Quick search” list of queues is empty?

Thanks for your time Ruslan, Todd

You’re absolutely right : user can find his tickets, and only his
tickets will appear … AND ‘Quick search’ list of queues is empty ? How
to explain it ( the requestor is allowed to ‘See queue’ ) ? How can i
change it to make my user happy by viewing his tickets in the Quick
Search list ?

Oh, wait. If there are using the Self Service interface then they
don’t see Quick Search.