Ticket level permissions

Hi All,

I’m new to RT and trying to make it work in following manner -

  1. There should be only one queue called ‘Support’. This is because we
    have too many clients and is a management call…

  2. Multiple clients using same queue to create tickets.

  3. No client should be able to access another client’s tickets. Example

  • Client A should not be able to access client B’s tickets.

And this is what I’ve done so far -

  1. Add a custom field ‘Client’ at user level.

  2. Create a group for each ‘Client’ and add all users belonging to the
    client to their respective group.

  3. OnCreate scrip to add the group as ‘Cc’ to the ticket and grant
    ’ShowTicket’ to the ‘Cc’ role.

This results in -

  1. User belonging to group A cannot see tickets raised by any user of
    group B on the ‘Open tickets’ page. So the segregation works here.

  2. But if a user of group A searches for a ticket (by ticket number) he
    gets to see all the ticket details hence defeating restriction we needed
    in place.

Please take a look at the OnCreate script on pastebin
http://pastebin.com/4G7mFDP8 and help me understand what is wrong with
this approach.

Thanks for help!

Regards,
Rajesh

Hi All,

I’m new to RT and trying to make it work in following manner -

  1. There should be only one queue called ‘Support’. This is because we have too many clients
    and is a management call…

  2. Multiple clients using same queue to create tickets.

  3. No client should be able to access another client’s tickets. Example - Client A should not
    be able to access client B’s tickets.

And this is what I’ve done so far -

  1. Add a custom field ‘Client’ at user level.

  2. Create a group for each ‘Client’ and add all users belonging to the client to their
    respective group.

  3. OnCreate scrip to add the group as ‘Cc’ to the ticket and grant ‘ShowTicket’ to the 'Cc’
    role.

This results in -

  1. User belonging to group A cannot see tickets raised by any user of group B on the ‘Open
    tickets’ page. So the segregation works here.

  2. But if a user of group A searches for a ticket (by ticket number) he gets to see all the
    ticket details hence defeating restriction we needed in place.

You’ve granted ShowTicket too widely, check your ACL configurations.
Especially for Everyone and Unprivileged groups.

-kevin

Hi All,

I'm new to RT and trying to make it work in following manner -

1. There should be only one queue called 'Support'. This is because we have too many clients
and is a management call...

2. Multiple clients using same queue to create tickets.

3. No client should be able to access another client's tickets. Example - Client A should not
be able to access client B's tickets.

And this is what I've done so far -

1. Add a custom field 'Client' at user level.

2. Create a group for each 'Client' and add all users belonging to the client to their
respective group.

3. OnCreate scrip to add the group as 'Cc' to the ticket and grant 'ShowTicket' to the 'Cc'
role.

This results in -

1. User belonging to group A cannot see tickets raised by any user of group B on the 'Open
tickets' page. So the segregation works here.

2. But if a user of group A searches for a ticket (by ticket number) he gets to see all the
ticket details hence defeating restriction we needed in place.

You’ve granted ShowTicket too widely, check your ACL configurations.
Especially for Everyone and Unprivileged groups.

-kevin

Thanks for your response. I’ve double checked and there are no rights
granted to Everyone and Unprivileged groups. The user defined groups
only have CreateTicket and SeeQueue rights. I’m using version 4.0.5.
Please let me know if there is something else I’m missing. Thanks.

Regards,
Rajesh

Hi All,

I’m new to RT and trying to make it work in following manner -

  1. There should be only one queue called ‘Support’. This is because we have too many clients
    and is a management call…

  2. Multiple clients using same queue to create tickets.

  3. No client should be able to access another client’s tickets. Example - Client A should not
    be able to access client B’s tickets.

And this is what I’ve done so far -

  1. Add a custom field ‘Client’ at user level.

  2. Create a group for each ‘Client’ and add all users belonging to the client to their
    respective group.

  3. OnCreate scrip to add the group as ‘Cc’ to the ticket and grant ‘ShowTicket’ to the 'Cc’
    role.

This results in -

  1. User belonging to group A cannot see tickets raised by any user of group B on the ‘Open
    tickets’ page. So the segregation works here.

  2. But if a user of group A searches for a ticket (by ticket number) he gets to see all the
    ticket details hence defeating restriction we needed in place.
    You’ve granted ShowTicket too widely, check your ACL configurations.
    Especially for Everyone and Unprivileged groups.

Thanks for your response. I’ve double checked and there are no
rights granted to Everyone and Unprivileged groups. The user defined
groups only have CreateTicket and SeeQueue rights. I’m using version
4.0.5. Please let me know if there is something else I’m missing.

If users can see the tickets, then they’ve picked up ShowTicket from
somewhere. It may be time for you to poke in the ACL table and see
where ShowTicket has been handed out.

-kevin