Secret queues with restricted access

Hi.

I want to create a queue that is not visible to the bulk of RT users.
Only a few.
So only a select number of users will have access AND be able to see the
queue.
That means it should only show up in a queue listing for those specific
logins.

I’m sure this can be done with a customised script but can it be done
with existing config options?
Thanks for any help.
Kind regards.

Luke

I want to create a queue that is not visible to the bulk of RT users.
Only a few.
So only a select number of users will have access AND be able to see the
queue.
That means it should only show up in a queue listing for those specific
logins.

You could always create a group containing those users, create the queue and give that group and
those users permissions to it.

#!/usr/bed/snoof
use fingers;

Sure. Just don’t give the default groups (Everyone, Unprivileged,
Privileged) SeeQueue or ShowTicket or anything like that. That’s the
nice thing about the RT ACLs is that they start very restrictive, and
you can ease it as much as you want. It won’t show up in Quick Search
or in “New ticket in” or anything like that for anyone but those you
explicitly give permission to.

Hi Eric.
That sounds great.

Schultz, Eric wrote:

Sure. Just don’t give the default groups (Everyone, Unprivileged,
Privileged) SeeQueue or ShowTicket or anything like that. That’s the
nice thing about the RT ACLs is that they start very restrictive, and
you can ease it as much as you want. It won’t show up in Quick Search
or in “New ticket in” or anything like that for anyone but those you
explicitly give permission to.

I have an existing queue ‘test’ that has all those groups showing ‘no
rights granted’
How can I remove the rights that they have, if I wanted to restrict the
‘test’ queue to only a few users or just one group?
It seems that by default the groups you mentioned have the rights to
view the ‘test’ queue.

Hope this can be done.

Thanks.
Kind regards.

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf
Of Luke Vanderfluit
Sent: Tuesday, January 31, 2006 2:12 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] secret queues with restricted access

Hi.

I want to create a queue that is not visible to the bulk of RT users.
Only a few.
So only a select number of users will have access AND be able
to see the
queue.
That means it should only show up in a queue listing for
those specific
logins.

I’m sure this can be done with a customised script but can it be done
with existing config options?
Thanks for any help.
Kind regards.


Luke

Luke

Hi Eric.

Schultz, Eric wrote:

If they have not rights granted, then I am not sure why they are
seeing it, unless the people who are able to see it are members of
another group that does have the privileges. The priv system is
pretty straightforward, you shouldn’t have too much trouble. By
default, nobody has any access to a brand new queue, you have to
explicity add the access. At least, this is true for 3.4.x. Are you
running a different version, perhaps?

I’m running 3.4.4.
I’ve created a new queue and it is visible to anyone in the
priviledged group by default.
Maybe there’s a configuration option that does that (include rights for
the priviledged group to any new queue).
I’ll have to work it out.

Any other suggestions appreciated.

Thanks for your help.
Kind regards.
Luke.

------------------------------------------------------------------------
*From:* Luke Vanderfluit [mailto:lvanderf@internode.com.au]
*Sent:* Tuesday, January 31, 2006 2:41 PM
*To:* Schultz, Eric
*Subject:* Re: [rt-users] secret queues with restricted access

Hi Eric.
That sounds great.

Schultz, Eric wrote:

Sure. Just don’t give the default groups (Everyone, Unprivileged,
Privileged) SeeQueue or ShowTicket or anything like that. That’s the
nice thing about the RT ACLs is that they start very restrictive, and
you can ease it as much as you want. It won’t show up in Quick Search
or in “New ticket in” or anything like that for anyone but those you
explicitly give permission to.

I have an existing queue 'test' that has all those groups showing
'no rights granted'
How can I remove the rights that they have, if I wanted to
restrict the 'test' queue to only a few users or just one group?
It seems that by default the groups you mentioned *have* the
rights to view the 'test' queue.

Hope this can be done.

Thanks.
Kind regards.

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf
Of Luke Vanderfluit
Sent: Tuesday, January 31, 2006 2:12 PM
To: rt-users@lists.bestpractical.com
Subject: [rt-users] secret queues with restricted access

Hi.

I want to create a queue that is not visible to the bulk of RT users.
Only a few.
So only a select number of users will have access AND be able
to see the
queue.
That means it should only show up in a queue listing for
those specific
logins.

I’m sure this can be done with a customised script but can it be done
with existing config options?
Thanks for any help.
Kind regards.


Luke


Luke

Luke

Luke,

There are “global” group and user rights as well as “queue” specific
group and user rights.
Because I want different access for different queues, I set most of my
rights at the queue level (instead of global level).

In order to do what you want you’d grant specific permissions at the
queue level, then revoke grander permissions at the “global” level.

I’d recommend printing out a copy of the page with global permissions
before you mess around with it.

Queue rights: Configuration - Queue - Select the queue you want - group
rights.
Global rights: Configuration - Global - Group rights

Thanks,
Mike

Mike Patterson
Systems Manager
UC Berkeley Extension

Hi Mike.

Mike Patterson wrote:

Luke,

There are “global” group and user rights as well as “queue” specific
group and user rights.
Because I want different access for different queues, I set most of my
rights at the queue level (instead of global level).

In order to do what you want you’d grant specific permissions at the
queue level, then revoke grander permissions at the “global” level.

I’d recommend printing out a copy of the page with global permissions
before you mess around with it.

Queue rights: Configuration - Queue - Select the queue you want -
group rights.
Global rights: Configuration - Global - Group rights

That’s it!
I have all my rights configured at a global level, therefore it would
require some work to redo all the rights at a queue/group level.

Thanks!
Kind regards.
Luke

Thanks,
Mike

Luke

Hi.

Tracy Phillips - Rackeasy wrote:

Luke Vanderfluit wrote:

That’s it!
I have all my rights configured at a global level, therefore it would
require some work to redo all the rights at a queue/group level.

Thanks!
Kind regards.
Luke

I figured out a week or so when messing around with RT that it is
better to not really setup global level rights, especially if you plan
on deviating from the standard way of doing things.

Yep.
My problem now is that redoing the rights requires downtime.
It won’t be as simple as revoking seeQueue and granting at a queue level.

Kind regards.
Luke.

Luke

Luke Vanderfluit wrote:

Yep.
My problem now is that redoing the rights requires downtime.
It won’t be as simple as revoking seeQueue and granting at a queue level.

Kind regards.
Luke.

Why not grant at the queue level and then revoke at the global level? Or
will that not work?

Tracy Phillips

tracy.phillips@rackeasy.com
Tel: 1-800-596-0906
Tel: 1-404-704-0457 ext 1001
Fax: 1-775-205-0590

370 S. Lowe Ave.
Ste. A-105
Cookeville, TN 38501

Tracy Phillips - Rackeasy wrote:

Luke Vanderfluit wrote:

Yep.
My problem now is that redoing the rights requires downtime.
It won’t be as simple as revoking seeQueue and granting at a queue
level.

Kind regards.
Luke.

Why not grant at the queue level and then revoke at the global level?
Or will that not work?

Good point!
I’ve tried it and it seems to work.

Thanks for pointing that out.
Kr.

Luke

Luke Vanderfluit wrote:

Good point!
I’ve tried it and it seems to work.

Thanks for pointing that out.
Kr.

No problem. It must be the shiny new RT Essentials that I got in the
mail today :smiley:

Tracy Phillips

tracy.phillips@rackeasy.com
Tel: 1-800-596-0906
Tel: 1-404-704-0457 ext 1001
Fax: 1-775-205-0590

370 S. Lowe Ave.
Ste. A-105
Cookeville, TN 38501

Hi Tracy.

Tracy Phillips - Rackeasy wrote:

Luke Vanderfluit wrote:

Good point!
I’ve tried it and it seems to work.

Thanks for pointing that out.
Kr.

No problem. It must be the shiny new RT Essentials that I got in the
mail today :smiley:

Not to dampen your enthusiasm, but I found the book disappointing.
It doesn’t discuss pertinent details that I am often looking for.
The section on command-line was helpful to me.
The discussion on how the database works leaves a lot to be desired.
There are many more areas that I would like to see elaborated on.
The book deserves to be 5 times as thick.

Let us know what you think when you’re done reading.
Happy RTing :slight_smile:

Kind regards.
Luke

Luke

Hi.

Tracy Phillips - Rackeasy wrote:

Luke Vanderfluit wrote:

That’s it!
I have all my rights configured at a global level, therefore it would
require some work to redo all the rights at a queue/group level.

Thanks!
Kind regards.
Luke

I figured out a week or so when messing around with RT that it is
better to not really setup global level rights, especially if you plan
on deviating from the standard way of doing things.

Yep.
My problem now is that redoing the rights requires downtime.
It won’t be as simple as revoking seeQueue and granting at a queue level.

Kind regards.
Luke.

The extension RTx::RightMatrix may help make your rights
related work go faster and easier to make sense of.

It’s available from CPAN.

-Todd

Hi Todd.

Todd Chapman wrote:

Hi.

Tracy Phillips - Rackeasy wrote:

Luke Vanderfluit wrote:

That’s it!
I have all my rights configured at a global level, therefore it would
require some work to redo all the rights at a queue/group level.

Thanks!
Kind regards.
Luke

I figured out a week or so when messing around with RT that it is
better to not really setup global level rights, especially if you plan
on deviating from the standard way of doing things.

Yep.
My problem now is that redoing the rights requires downtime.
It won’t be as simple as revoking seeQueue and granting at a queue level.

Kind regards.
Luke.

The extension RTx::RightMatrix may help make your rights
related work go faster and easier to make sense of.

It’s available from CPAN.

I’ll give that a go for sure.
Thanks dude!

Kr.
Luke.

-Todd

Luke