[rt-users] assigning permissions to queues

[Tim Cutts]

On 27 Feb 2011, at 17:00, rt-users-request at lists.bestpractical.com wrote:

> From: Ruslan Zakirov <ruslan.zakirov at gmail.com>
> Rights matrix extension may be.
> Regards, Ruslan. From phone.
> 
> From: Gilbert Rebeiro <gilbert at dido.ca>
> It works well.
> It could benefit from "ALL" buttons on both queues and rights ie select all queues for a certain permission, or all permissions for a certain queue.

I use rights matrix as well, although even that is quite cumbersome on our setup (we have 156 queues, 167 user defined groups and probably about 500 privileged users).

I'm actually starting to write perl scripts for creating queues and groups and the rights to go with them, because it's easy to get it wrong, and with as many queues and groups as we have, consistency is important.

It's fairly easy to write such scripts, stealing bits of code from RT itself when I couldn't work out how to do it for myself!

I'm also planning to create a script which sanity-checks queue configurations according to our internal policy, which basically goes something like this:

1)  Every queue has a group with the same name as the queue.
2)  That group is assigned to the AdminCC role for the queue.
3)  Rights are never granted to individual users.
4)  Users are given rights to queues by placing them in the appropriate groups.

I don't tend to give anyone the right to modify scrips and templates, because as far as I can tell those scrips and bits of embedded code in templates basically run with the privilege level of $RT::SystemUser, and so can be used to access pretty much any data in the database, which is not something we generally want.

Regards,

Tim

-- 
 The Wellcome Trust Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.