RT permission question

To all,

I thought I understood most of the permission relationships in RT, but 

I find I’m a bit stumped with a problem I’m having. I know that to move
a ticket from one queue to another queue that person/group initiating
the move must have “SeeQueue” and “CreateTicket” rights for the intended
queue. I have a situation where those rights are granted, but permission
is denied. I also have a scrip that modifies the owner to “nobody” when
a ticket is moved to another queue. Currently, the code to modify the
owner is in cleanup code. Does anyone have a clue as to why this
transaction is not being allowed? Thanks in advance.

Kenn
LBNL

To all,

I thought I understood most of the permission relationships in RT, but
I find I’m a bit stumped with a problem I’m having. I know that to move
a ticket from one queue to another queue that person/group initiating
the move must have “SeeQueue” and “CreateTicket” rights for the intended
queue. I have a situation where those rights are granted, but permission
is denied.

Kenn,

Does the ticket actually get moved to the other queue? Also, exactly what
error message appears?

Steve

Stephen Turner
Senior Programmer/Analyst - SAIS
MIT IS&T

Stephen,

It merely says "Permission denied". I was looking at the groups he is 

in and found that he is in two groups. The first one (Alphabetically) is
not allowed to create tickets in the target queue, but the second is. He
already is the ticket owner and has “ModifyTicket” rights. I was
wondering if RT checks group rights for a target queue and if the first
one fails, doesn’t bother to check any others? Just a thought. I’m going
to do a test by adding the create rights to that first group.

Kenn
LBNLOn 12/16/2008 1:17 PM, Stephen Turner wrote:

On Tue, 16 Dec 2008 16:06:53 -0500, Kenneth Crocker KFCrocker@lbl.gov wrote:

To all,

I thought I understood most of the permission relationships in RT, 

but
I find I’m a bit stumped with a problem I’m having. I know that to move
a ticket from one queue to another queue that person/group initiating
the move must have “SeeQueue” and “CreateTicket” rights for the intended
queue. I have a situation where those rights are granted, but permission
is denied.

Kenn,

Does the ticket actually get moved to the other queue? Also, exactly
what error message appears?

Steve

Stephen,

I tried the following tests:

1) added rights to the first group for target queue. No Joy.
2) tried to have owner move ticket to a queue that allowed any 

privileged user to “CreateTicket”. Also no joy.
I’m dumbfounded. He IS a privileged user or I wouldn’t be able to have
him in a group. Of course, I checked anyway.

Kenn
LBNLOn 12/16/2008 1:17 PM, Stephen Turner wrote:

On Tue, 16 Dec 2008 16:06:53 -0500, Kenneth Crocker KFCrocker@lbl.gov wrote:

To all,

I thought I understood most of the permission relationships in RT, 

but
I find I’m a bit stumped with a problem I’m having. I know that to move
a ticket from one queue to another queue that person/group initiating
the move must have “SeeQueue” and “CreateTicket” rights for the intended
queue. I have a situation where those rights are granted, but permission
is denied.

Kenn,

Does the ticket actually get moved to the other queue? Also, exactly
what error message appears?

Steve

Stephen,

I tried the following tests:

  1. added rights to the first group for target queue. No Joy.
  2. tried to have owner move ticket to a queue that allowed any
    privileged user to “CreateTicket”. Also no joy.
    I’m dumbfounded. He IS a privileged user or I wouldn’t be able to have
    him in a group. Of course, I checked anyway.

Kenn
LBNL

Kenn,

Does your user have ModifyTicket on the “from” queue?

One way to really get to the bottom of this is a Perl script that (logged
on as your user) uses the API to read the ticket and attempts to change
the queue. Stepping through the code using the debugger should show you
exactly where the “permission denied” is happening and should help you
figure out why.

Steve

Stephen Turner
Senior Programmer/Analyst - SAIS
MIT IS&T

Stephen,

Here's another interesting test result; I had this same user create a 

ticket in MY queue, which allows any privileged user the “SeeQueue” and
"CreateTicket" rights. Then I had this person create a ticket in his own
queue, make himself owner and then try to move it to my queue, No joy.???

Kenn
LBNLOn 12/17/2008 12:27 PM, Stephen Turner wrote:

On Wed, 17 Dec 2008 15:22:24 -0500, Kenneth Crocker KFCrocker@lbl.gov wrote:

Stephen,

I tried the following tests:

1) added rights to the first group for target queue. No Joy.
2) tried to have owner move ticket to a queue that allowed any

privileged user to “CreateTicket”. Also no joy.
I’m dumbfounded. He IS a privileged user or I wouldn’t be able to
have
him in a group. Of course, I checked anyway.

Kenn
LBNL

Kenn,

Does your user have ModifyTicket on the “from” queue?

One way to really get to the bottom of this is a Perl script that
(logged on as your user) uses the API to read the ticket and attempts to
change the queue. Stepping through the code using the debugger should
show you exactly where the “permission denied” is happening and should
help you figure out why.

Steve

Stephen,

HA! I finally figured it out. I moved the code that forced the owner to 

“Nobody” from “PREP” to “Clean-up”. That did it. Since only the Owner
could modify the ticket, I was undoing that with the prep code. Talk
about shooting yourself in the foot. Thanks for the help.

Kenn
LBNLOn 12/17/2008 3:12 PM, Kenneth Crocker wrote:

Stephen,

Here’s another interesting test result; I had this same user create a
ticket in MY queue, which allows any privileged user the “SeeQueue” and
"CreateTicket" rights. Then I had this person create a ticket in his own
queue, make himself owner and then try to move it to my queue, No joy.???

Kenn
LBNL

On 12/17/2008 12:27 PM, Stephen Turner wrote:

On Wed, 17 Dec 2008 15:22:24 -0500, Kenneth Crocker KFCrocker@lbl.gov wrote:

Stephen,

I tried the following tests:

1) added rights to the first group for target queue. No Joy.
2) tried to have owner move ticket to a queue that allowed any

privileged user to “CreateTicket”. Also no joy.
I’m dumbfounded. He IS a privileged user or I wouldn’t be able to
have
him in a group. Of course, I checked anyway.

Kenn
LBNL

Kenn,

Does your user have ModifyTicket on the “from” queue?

One way to really get to the bottom of this is a Perl script that
(logged on as your user) uses the API to read the ticket and attempts to
change the queue. Stepping through the code using the debugger should
show you exactly where the “permission denied” is happening and should
help you figure out why.

Steve


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com