[rt-users] Canned sets of rights for individuals accessing different queues?

Kenneth Crocker kfcrocker at lbl.gov
Wed Oct 6 17:34:09 EDT 2010


Ant,

We have the same levels of use here, but over 120 support Queues to do it.
We follow the following rules:
1) No user gets individual privileges. They must be members in a group with
"like needs" for access to a Queue. That way, as rights maintenance issues
come up for a Queue, we only have to deal with the group as a whole, not a
bunch of individual users. Way too much redundant work with individuals.
2) We put the Product Manager in the "AdminCc" Queue watcher role. *No one
else* gets that role for that Queue. We grant this role the rights to admin
users/watchers and a lot of other stuff for that Queue.
3) We name these groups for the Queue. ie. "xxxx-users" where "xxxx" is the
name of the Queue and the "Users" are those people that can create and view
their *own tickets* (only), but not modify them, unless it is a Custom Field
created just for them. "XXXX-Support" or "XXXX-Texh-Support" are for the
developers. They get more rights that "Users".

I have a "Rights Guide" that we use for setting up Global/Queue rights for
groups and roles. If you feel you have an environment with the kind of
development support like ours, I can pass that on to you, if you are
interested.

Kenn
LBNL

On Wed, Oct 6, 2010 at 12:43 PM, ant <ant at suave.net> wrote:

>
> I have been looking around and am thinking this may not really be possible,
> but here goes.
>
> I have a number of users, number of queues and three different access
> levels View Only, Developer and Product Manager. I am trying to figure out
> a way to specify the set of rights each of the access levels only once,
> then somehow associate a user and queue with each set of rights, for
> example.
>
> user fred has developer rights to the testa queue, but only view only to
> testb.
>
> It looks like I could do this by creating a bunch of groups like
> testa_developer and assigning the user to all the individual groups, but
> that means I have to set up individual rights for each of those groups on
> the various queues, which takes a while to set up and is hard to maintain.
>
> In the past I set up global rights for groups and made a hack that pulls my
> users from my user database and gets which rights each should have, then
> copies those rights at the user level onto the queue directly. This never
> seemed very clean to me but was the only solution I could come up with. I'm
> upgrading my system now and was hoping maybe I could find a better way, but
> I'm not finding anything.
>
> Anyone have any ideas? I'm on 3.8.8
>
> RT Training in Washington DC, USA on Oct 25 & 26 2010
> Last one this year -- Learn how to get the most out of RT!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20101006/5ed9a5f3/attachment.htm>


More information about the rt-users mailing list