[rt-users] Rights, rights, rights...

Kenneth Crocker KFCrocker at lbl.gov
Wed Feb 6 14:19:48 EST 2008 

Jean-Sebastion,


	Whew! You have really given alot of people alot of rights. By granting 
"AssignCustomFields" to everyone, you have opened the dor to let every 
tom dick and harry create any number of fields for their tickets that 
might be redundant to what someone else has created and you have a lot 
of redundant, non-centralized, hard to maintain, info flying around that 
you have no control over because you gave that control to everyone. If 
you like a lot of maintenence work then, I guess that's ok. You also 
grant the same rights for roles that you have already granted to 
privileged users. That is also redundant as if they have the right as a 
"privileged: user, then they have it, period. They don't need it again. 
That, too, will create a nightmare of debugging as when you make a 
rights change in one place and it doesn't work, you will wonder why. 
Typically, or at least for a measure of control, you might want to sit 
down and evaluate exactly what you want certain roles to do on which 
specific queues, what kind of control you want to have over all of it 
and what kind of control you want to have for each queue. Do you want 
each queue to be managed and controlled independently of other queues? 
What kind of users will have access to each queue? Will there be 
"support" groups and "user (requestors)" groups? How much access should 
they have in a queue? This is a lot of process and decide on.
	What is the purpose or function of your RT installation? What kind of 
users will be on the system (i.e. technical support people for each 
queue, seperate requestors for each queue, etc.). What kind of 
communication do you want for each queue. Do you want requestors to see 
technical comments made by technical people that work on the tickets in 
a specific queue? Try to define all of this and let me know. I'll be 
able to provide more precise and specific advice when I have that info.

Kenn
LBNL

On 2/6/2008 7:22 AM, Jean-Sebastien Morisset wrote:
> Hi everyone,
> 
> Phew! There are a lot of different ways to setup rights. Our RT 3.6.6
> users are checked against our Active Directory server and created
> automatically. For some reason when someone sends e-mail, and an account
> doesn't already exist for them, the e-mail fails (I guess this is
> because there wasn't a password to authenticate the user). So I had to
> give 'Everyone' some permissions.
> 
> Here's what I did... Does anyone see a problem with this?
> 
> Configuration -> Global -> Group Rights:
> 
> Everyone   
>   AssignCustomFields
>   CreateTicket
>   SeeCustomField
> 
> Privileged	
>   AssignCustomFields
>   CreateSavedSearch
>   CreateTicket
>   EditSavedSearches
>   LoadSavedSearch
>   ModifySelf
>   SeeCustomField
>   SeeGroup
>   SeeQueue
>   ShowSavedSearches
>   ShowTicket
>   Watch
> 
> Requestor	
>   AssignCustomFields
>   CreateSavedSearch
>   CreateTicket
>   EditSavedSearches
>   LoadSavedSearch
>   ModifySelf
>   ReplyToTicket
>   SeeCustomField
>   SeeGroup
>   SeeQueue
>   ShowSavedSearches
>   ShowTicket
> 
> User defined groups: Management	
>   AssignCustomFields
>   CommentOnTicket
>   CreateSavedSearch
>   CreateTicket
>   EditSavedSearches
>   LoadSavedSearch
>   ModifyQueueWatchers
>   ModifySelf
>   ModifyTicket
>   OwnTicket
>   ReplyToTicket
>   SeeCustomField
>   SeeGroup
>   SeeQueue
>   ShowACL
>   ShowOutgoingEmail
>   ShowSavedSearches
>   ShowScrips
>   ShowTemplate
>   ShowTicket
>   ShowTicketComments
>   StealTicket
>   TakeTicket
>   Watch
>   WatchAsAdminCc
> 
> User defined groups: RT-Admin   
>   AdminAllPersonalGroups
>   AdminCustomField
>   AdminGroup
>   AdminGroupMembership
>   AdminOwnPersonalGroups
>   AdminQueue
>   AdminUsers
>   AssignCustomFields
>   CommentOnTicket
>   CreateSavedSearch
>   CreateTicket
>   DelegateRights
>   DeleteTicket
>   EditSavedSearches
>   LoadSavedSearch
>   ModifyACL
>   ModifyCustomField
>   ModifyOwnMembership
>   ModifyQueueWatchers
>   ModifyScrips
>   ModifySelf
>   ModifyTemplate
>   ModifyTicket
>   OwnTicket
>   ReplyToTicket
>   SeeCustomField
>   SeeGroup
>   SeeQueue
>   ShowACL
>   ShowConfigTab
>   ShowOutgoingEmail
>   ShowSavedSearches
>   ShowScrips
>   ShowTemplate
>   ShowTicket
>   ShowTicketComments
>   StealTicket
>   TakeTicket
>   Watch
>   WatchAsAdminCc
>  
> Queue specific rights are given for groups by queue...
> 
> Configuration -> Queues -> Unix -> Group Rights:
> 
> User defined groups: Unix
>   AssignCustomFields
>   CommentOnTicket
>   CreateTicket
>   ModifyTicket
>   OwnTicket
>   ReplyToTicket
>   SeeQueue
>   ShowACL
>   ShowOutgoingEmail
>   ShowScrips
>   ShowTemplate
>   ShowTicket
>   ShowTicketComments
>   StealTicket
>   TakeTicket
>   Watch
>   WatchAsAdminCc
> 
> Thanks!
> js.

More information about the rt-users mailing list