User rights and custom fields - REST requests

hi

I hope this is the right place for this post. (no response from rt-users)

We are trying to restrict rights as much as possible for “external” users
(having access
to RT via a custom web application sending REST requests.)

Our “external” users are always marked as ‘Privileged’

In terms of group rights, this is what we would like to have:

  1. Everyone -> CreateTicket + ReplyToTicket
  2. Privileged -> None (empty)
  3. Requestors -> CreateTicket + ReplyToTicket + SeeCustomField +
    ShowTicket + ModifyCustomField + ModifyTicket

However, having Privileged->None(all checkbox empty) seems to be blocking
access to custom
fields. It only works if we set Privileged->SeeCustomField +
ModifyCustomField

It looks like the fact that users are ‘Requestor’ isn’t enough to let them
read/write custom fields. (Right?)
Tickets can be created and can be retrieved afterwards, it’s only custom
fields we are having problems with.

Thanks

PS:
Our RT instances have this basic conf:
RT 4.2.9, CentOS 6.6, Apache+mod_perl, mysql Ver 14.14 Distrib 5.6.22, for
Linux (x86_64)

Regards,

Hugo Escobar

http://www.associationfinancialservices.com/

4770 Biscayne Blvd, Ste 700
Miami, FL 33137

main: 305.677.0022
support: 305.921.4620
email: hescobar@afslc.com

Follow us on Facebook and Linked-In
http://www.facebook.com/pages/Miami-FL/ASSOCIATION-FINANCIAL/64952991864
http://www.linkedin.com/companies/1006276

NOTICE: This email and any attachment to this email may contain
confidential information. If you are not the intended recipient, you must
not review, retransmit, convert to hard copy, photocopy, use or disseminate
this email or any attachments to it. If you have received this email in
error, please notify us immediately by return email and delete this
message. Please note that if this email contains a forwarded message or is
a reply to a prior message, some or all of the contents of this message or
any attachments may not have been produced by our firm. As our firm may be
deemed a debt collector, if your payment is in default, we may be
attempting to collect a debt on behalf of the association, and any
information obtained may be used for that purpose.

hi

I hope this is the right place for this post. (no response from rt-users)

We are trying to restrict rights as much as possible for “external” users
(having access
to RT via a custom web application sending REST requests.)

Our “external” users are always marked as ‘Privileged’

In terms of group rights, this is what we would like to have:

  1. Everyone -> CreateTicket + ReplyToTicket
  2. Privileged -> None (empty)
  3. Requestors -> CreateTicket + ReplyToTicket + SeeCustomField +
    ShowTicket + ModifyCustomField + ModifyTicket

However, having Privileged->None(all checkbox empty) seems to be blocking
access to custom
fields. It only works if we set Privileged->SeeCustomField +
ModifyCustomField

It looks like the fact that users are ‘Requestor’ isn’t enough to let them
read/write custom fields. (Right?)
Tickets can be created and can be retrieved afterwards, it’s only custom
fields we are having problems with.

Thanks

PS:
Our RT instances have this basic conf:
RT 4.2.9, CentOS 6.6, Apache+mod_perl, mysql Ver 14.14 Distrib 5.6.22,
for Linux (x86_64)

hi,

after giving some thoughts to this post:

if it’s a design decision not allowing a requestor to manipulate
(read/write) custom fields unless:
1.- they are explicitly authorized to do so by marking them privileged AND,
2.- giving ‘privileged’ SeeCF and ModifyCF rights,

isn’t it confusing to allow administrators to set SeeCF and ModifyCF to
say, the ‘requestor’ group if it only depends on #1 and #2?
(changing settings for the ‘requestor’ group makes absolutely no difference
in terms of rights over CFs)

I apologize for insisting in this question but I could not find anything
specific to this matter in public docs.

Any help will be highly appreciated

Regards,

Hugo Escobar

http://www.associationfinancialservices.com/

4770 Biscayne Blvd, Ste 700
Miami, FL 33137

main: 305.677.0022
support: 305.921.4620
email: hescobar@afslc.com

Follow us on Facebook and Linked-In
http://www.facebook.com/pages/Miami-FL/ASSOCIATION-FINANCIAL/64952991864
http://www.linkedin.com/companies/1006276

NOTICE: This email and any attachment to this email may contain
confidential information. If you are not the intended recipient, you must
not review, retransmit, convert to hard copy, photocopy, use or disseminate
this email or any attachments to it. If you have received this email in
error, please notify us immediately by return email and delete this
message. Please note that if this email contains a forwarded message or is
a reply to a prior message, some or all of the contents of this message or
any attachments may not have been produced by our firm. As our firm may be
deemed a debt collector, if your payment is in default, we may be
attempting to collect a debt on behalf of the association, and any
information obtained may be used for that purpose.