User with no WatchAsAdminCc right was added as AdminCc

Hi

One of my privileged users A was able to add another user B as AdminCc
even though that second User B does not have the WatchAsAdminCc right as
far as I can make out.

User B is not privileged.
User B does not have any rights for that Queue in
Admin/Queues/UserRights.html

User B belongs to only one group C directly.
Group C is not included in any other.
Group C does not have any rights in Admin/Groups/GroupRights.html
Group C does not have any rights for that Queue in
Admin/Queues/GroupRights.html

The WatchAsAdminCc right on that queue is only given to User-defined
groups to which User B does not belong either directly or indirectly.

If I look at the RightsMatrix for User B, he does not have
WatchAsAdminCc right on any queue.
If I look at the RightsMatrix for Group C, it does not have
WatchAsAdminCc right on any queue.

User A has the following rights on that queue C

  • CommentOnTicket
  • CreateTicket
  • ModifyTicket
  • OwnTicket
  • ReplyToTicket
  • SeeQueue
  • ShowACL
  • ShowOutgoingEmail
  • ShowTicket
  • ShowTicketComments
  • StealTicket
  • TakeTicket
  • Watch
  • WatchAsAdminCc

*Any ideas where I might have messed up ?

Gerard

Using RT 3.8.8On 2011-12-16 17:24, Gerard FENELON wrote:

Hi

One of my privileged users A was able to add another user B as AdminCc
even though that second User B does not have the WatchAsAdminCc right
as far as I can make out.

User B is not privileged.
User B does not have any rights for that Queue in
Admin/Queues/UserRights.html

User B belongs to only one group C directly.
Group C is not included in any other.
Group C does not have any rights in Admin/Groups/GroupRights.html
Group C does not have any rights for that Queue in
Admin/Queues/GroupRights.html

The WatchAsAdminCc right on that queue is only given to User-defined
groups to which User B does not belong either directly or indirectly.

If I look at the RightsMatrix for User B, he does not have
WatchAsAdminCc right on any queue.
If I look at the RightsMatrix for Group C, it does not have
WatchAsAdminCc right on any queue.

User A has the following rights on that queue C

  • CommentOnTicket

  • CreateTicket

  • ModifyTicket

  • OwnTicket

  • ReplyToTicket

  • SeeQueue

  • ShowACL

  • ShowOutgoingEmail

  • ShowTicket

  • ShowTicketComments

  • StealTicket

  • TakeTicket

  • Watch

  • WatchAsAdminCc

*Any ideas where I might have messed up ?

Gerard

Hi

One of my privileged users A was able to add another user B as AdminCc
even though that second User B does not have the WatchAsAdminCc right as far as I can make
out.

That right only affects your ability to add yourself as an AdminCc
User A has ModifyTicket, they can add anyone they want as an AdminCc.

-kevin

Thanks Kevin

Is there a way to prevent this behaviour ?
Sometimes I end up with Customers in AdminCc of tickets …

GerardOn 2011-12-19 19:01, Kevin Falcone wrote:

On Fri, Dec 16, 2011 at 05:24:41PM +0100, Gerard FENELON wrote:

Hi

One of my privileged users A was able to add another user B as AdminCc
even though that second User B does not have the WatchAsAdminCc right as far as I can make
out.

That right only affects your ability to add yourself as an AdminCc
User A has ModifyTicket, they can add anyone they want as an AdminCc.

-kevin

User B is not privileged.
User B does not have any rights for that Queue in Admin/Queues/UserRights.html

User B belongs to only one group C directly.
Group C is not included in any other.
Group C does not have any rights in Admin/Groups/GroupRights.html
Group C does not have any rights for that Queue in Admin/Queues/GroupRights.html

The WatchAsAdminCc right on that queue is only given to User-defined groups to which User B
does not belong either directly or indirectly.

If I look at the RightsMatrix for User B, he does not have WatchAsAdminCc right on any queue.
If I look at the RightsMatrix for Group C, it does not have WatchAsAdminCc right on any queue.

User A has the following rights on that queue C

  * CommentOnTicket
  * CreateTicket
  * ModifyTicket
  * OwnTicket
  * ReplyToTicket
  * SeeQueue
  * ShowACL
  * ShowOutgoingEmail
  * ShowTicket
  * ShowTicketComments
  * StealTicket
  * TakeTicket
  * Watch
  * WatchAsAdminCc

Any ideas where I might have messed up ?
Gerard

Thanks Kevin

Is there a way to prevent this behaviour ?
Sometimes I end up with Customers in AdminCc of tickets …

User education/training.

Otherwise you have to write a Scrip that takes unprivileged users off
of tickets (or otherwise modify RT to prevent it).

It’s quite useful to be able to add someone random as an AdminCc, to
grant temporary visibility into 1 ticket in a Queue they would never
normally have access to.

-kevin> On 2011-12-19 19:01, Kevin Falcone wrote:

On Fri, Dec 16, 2011 at 05:24:41PM +0100, Gerard FENELON wrote:

Hi

One of my privileged users A was able to add another user B as AdminCc
even though that second User B does not have the WatchAsAdminCc right as far as I can make
out.
That right only affects your ability to add yourself as an AdminCc
User A has ModifyTicket, they can add anyone they want as an AdminCc.

-kevin

User B is not privileged.
User B does not have any rights for that Queue in Admin/Queues/UserRights.html

User B belongs to only one group C directly.
Group C is not included in any other.
Group C does not have any rights in Admin/Groups/GroupRights.html
Group C does not have any rights for that Queue in Admin/Queues/GroupRights.html

The WatchAsAdminCc right on that queue is only given to User-defined groups to which User B
does not belong either directly or indirectly.

If I look at the RightsMatrix for User B, he does not have WatchAsAdminCc right on any queue.
If I look at the RightsMatrix for Group C, it does not have WatchAsAdminCc right on any queue.

User A has the following rights on that queue C

 * CommentOnTicket
 * CreateTicket
 * ModifyTicket
 * OwnTicket
 * ReplyToTicket
 * SeeQueue
 * ShowACL
 * ShowOutgoingEmail
 * ShowTicket
 * ShowTicketComments
 * StealTicket
 * TakeTicket
 * Watch
 * WatchAsAdminCc

Any ideas where I might have messed up ?
Gerard


RT Training Sessions (http://bestpractical.com/services/training.html)

  • Boston March 5 & 6, 2012