RTV4.0.0: User Access Restrictions

RT Users
1

This email and any attachments are confidential and intended for use by the addressee only. If you are not the intended recipient, please delete it and destroy any copies.

No part of this email may be reproduced, adapted or transmitted without the written permission of the owner of the copyright or other intellectual property in it.

COLORADO group does not accept liability for loss or damage caused by this email, for example by a computer virus or arising from data corruption, delay, interruption, unauthorised access or any other thing.

RT Access Profile.xls (25 KB)

2

Hello,
Back in June I emailed the below question/request for help and I don’t believe I have seen a response to that.

Does anyone have any good ideas/pointers on this? I have searched archives & manuals etc. but I can’t see what right I am applying that is allowing all my users Admin rights.

Many thanks in advance.

Jo

Jo Keown, MBusAdmin(Mgt), MIPA
IS Business Analyst
Colorado Group Ltd
100 Melbourne Street
South Brisbane QLD 4101
Ph: +61 7 3877 3399
Mobile: 0402 697 351
Email: joanne.keown@coloradogroup.com.aumailto:joanne.keown@coloradogroup.com.auFrom: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of Joanne Keown
Sent: Friday, 24 June 2011 11:36 AM
To: RT-Users@lists.bestpractical.com
Subject: [rt-users] RTV4.0.0: User Access Restrictions

Hi all,

I have set up a number of users within groups on RT V4.0.0 and have been testing to make sure that these users only have access to view and update certain areas in RT. When I log in as users “jfaulkner” and “dchapman” (in customer Services group) I notice that they have full administration access, even though I have not applied these rights to either the User or Group profiles. I’m miffed as to where these rights are coming from and I’m hoping that someone can tell me what I’m missing.

Attached is a spreadsheet that shows what access I have applied to the groups, users, queues and custom fields. Can someone enlighten me on what could be allowing my users full admin rights to:

  •     update other users,

  •     Change group information,

  •     Change Queue information,

  •     Admin update custom field metadata - etc.

Many thanks and kind regards

Jo

Jo Keown, MBusAdmin(Mgt), MIPA
IS Business Analyst
Colorado Group Ltd
100 Melbourne Street
South Brisbane QLD 4101
Ph: +61 7 3877 3399
Mobile: 0402 697 351
Email: joanne.keown@coloradogroup.com.aumailto:joanne.keown@coloradogroup.com.au

This email and any attachments are confidential and intended for use by the addressee only. If you are not the intended recipient, please delete it and destroy any copies.

No part of this email may be reproduced, adapted or transmitted without the written permission of the owner of the copyright or other intellectual property in it.

COLORADO group does not accept liability for loss or damage caused by this email, for example by a computer virus or arising from data corruption, delay, interruption, unauthorised access or any other thing.

ATT00001…txt (777 Bytes)

ATT00002…txt (74 Bytes)

RT Access Profile.xls (25 KB)

3

Back in June I emailed the below question/request for help and I don’t
believe I have seen a response to that.

Does anyone have any good ideas/pointers on this? I have searched
archives & manuals etc. but I can’t see what right I am applying that is
allowing all my users Admin rights.

The information in the spreadsheet simply isn’t enough. There’s many
other places you could be granting them rights. We can’t offer more
than guesses without essentially a database dump of the relevant RT tables.

Thomas

4

Back in June I emailed the below question/request for help and I don’t
believe I have seen a response to that.

Does anyone have any good ideas/pointers on this? I have searched
archives & manuals etc. but I can’t see what right I am applying that is
allowing all my users Admin rights.

The information in the spreadsheet simply isn’t enough. There’s many
other places you could be granting them rights. We can’t offer more
than guesses without essentially a database dump of the relevant RT tables.

You have likely misapplied the “Superuser” right on some group the users
are in, directly or indirectly. The following (which is untested,
simply written off the top of my head), run from your database, should
tell you which group that they are in has this right:

select Groups.* from Users
join CachedGroupMembers on CachedGroupMembers.MemberId = Users.id
join ACL on ACL.PrincipalId = CachedGroupMembers.GroupId
and ACL.RightName = ‘SuperUser’
join Groups on Groups.id = ACL.PrincipalId
where Users.Name = ‘dchapman’

  • Alex
5

Joanne,

Have you installed RT::Rights Matrix? I have found that VERY useful in the
past. If someone is getting rights from more than one setting, it will show
up in those results.

Kenn
LBNLOn Thu, Jul 7, 2011 at 9:28 AM, Alex Vandiver alexmv@bestpractical.comwrote:

On Thu, 2011-07-07 at 09:52 -0400, Thomas Sibley wrote:

On 07/06/2011 06:44 PM, Joanne Keown wrote:

Back in June I emailed the below question/request for help and I don’t
believe I have seen a response to that.

Does anyone have any good ideas/pointers on this? I have searched
archives & manuals etc. but I can’t see what right I am applying that
is
allowing all my users Admin rights.

The information in the spreadsheet simply isn’t enough. There’s many
other places you could be granting them rights. We can’t offer more
than guesses without essentially a database dump of the relevant RT
tables.

You have likely misapplied the “Superuser” right on some group the users
are in, directly or indirectly. The following (which is untested,
simply written off the top of my head), run from your database, should
tell you which group that they are in has this right:

select Groups.* from Users
join CachedGroupMembers on CachedGroupMembers.MemberId = Users.id
join ACL on ACL.PrincipalId = CachedGroupMembers.GroupId
and ACL.RightName = ‘SuperUser’
join Groups on Groups.id = ACL.PrincipalId
where Users.Name = ‘dchapman’

  • Alex

2011 Training: http://bestpractical.com/services/training.html