Giuseppe,<br><br>You said, "Basically, the way I interpret this means that if I want my users to be
able to create tickets via the web interface, I need to provide them
with both "CreateTicket" and "SeeQueue".<br>
As a side effect, privileged users couldn't be prevented from seeing a
list of other people's tickets (albeit not in details) in that queue if I
want them to be able to create tickets in that same queue.<br>
<br>
Is my interpretation of what you write correct? It seems it's missing
the effect of "ShowTicket", which allows the grantee to see the list of
tickets."<br><br>Yes, that is correct. You CAN, however, modify your configuration (/opt/rt3/etc/RT_SiteConfig.pm) to autocreate as "UnPrivileged".<br><br>The changes you made looked good, by the way.<br><br>
It's important to understand that <b>PRIVILEGES CANNOT BE PROHIBITED, ONLY GRANTED</b>. That means that if I grant a right GLOBALLY, then anything I do for that right at any lower level is <i>ignored</i>. <i>I've already granted that right <b>GLOBALLY</b></i>. Rights are HIERARCHICAL (I <b>REALLY</b> need to find out how to spell that word correctly ;-).<br>
<br>To further understand privileges, let me give you this example:<br><br>I have over 100 Queues, so I don't want everyone to have such a huge "drop-down" list, so I grant "SeeQueue" to a User-defined group named "XXXX-Users" (where XXXX is the Queue name) at the Queue level.<br>
<br>Also, I don't want just anyone to be able to create tickets in this particular Queue so I grant "CreateTicket" to the same Group at the Queue level. I do NOT grant "Create Ticket" ANYWHERE Globally because that would <i>override</i> what I wanted at the Queue level FOR THAT RIGHT and allow others to be able to create tickets
in this particular Queue, regardless of what I granted at the Queue level.<br><br>I want my Requestors to see only their ticket, so I grant "ShowTicket" to the Requestor role at the Queue level.<br><br> Also, I want those same users (XXXX-Users) to be able to update a specific Custom Field (called "Need-By Date") in these tickets so under Config->Custom Fields->(select CF)->Group Rights I grant "SeeCustomField" and "ModifyCustomField" to that group.<br>
<br>Now, anyone in that group can see this Queue (on the WebUI), create a ticket (either on the WebUI or Email), See basic metadata in this ticket (except comments because I didn't grant that right) AND be able to see AND update the value in the CF "Need-By Date".<br>
<br>I actually have some Custom Fields that I update with values (using scrips) that I use for other functions (like searches and Dashboards, etc) and NO ONE in the system, except a "SuperUser" can see those CF's or Modify them in ANY ticket.<br>
<br>This is the kind of flexibility BP has designed into RT. I've always said that everything has a cost. Well, the cost of flexibility is complexity. Some stuff in RT CAN be tough to grasp at first. But once you SEE it, it makes perfect sense.<br>
<br>I hope this helps. Let me know if I can be of further assistence.<br><br>Kenn<br>LBNL<br><br><br><div class="gmail_quote">On Wed, Jun 15, 2011 at 1:56 AM, Giuseppe Sollazzo <span dir="ltr"><<a href="mailto:gsollazz@sgul.ac.uk">gsollazz@sgul.ac.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Hi Kenneth,<br>
that helped a lot, thanks.<br>
<br>
Pitching is a good idea, although us Europeans don't get baseball too much ;-)<br>
<br>
I managed to get things working as suggested by you:<br>
Global - Roles Requestor: ShowTicket<br>
Queue X - System Everyone: CreateTicket SeeQueue<br>
<br>
with this I get exactly what I'm after: users can see their own tickets only, unless they are given more permissions.<div class="im"><br>
<br>
However, just a clarification. At some point you write:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
"CreateTicket" - This right has NOTHING to do with seeing it, modifying it,<br>
etc. It just means that RT will let someone "CREATE" it. That's it. However,<br>
because you might want to know who created it as well as who wants the work<br>
done, RT keeps track of the "creator" AND the "Requestor". They are not<br>
always the same. I could easily grant "CreateTicket" to everyone and if I<br>
didn't grant "ShowTicket" to anyone, no one would see it except the user<br>
with "SuperUser" rights.<br>
"SeeQueue" - This means you can see a Queue (all if granted Globally) in the<br>
"Drop-down" list of Queues when wanting to create/look at a ticket. If I<br>
grant "SeeQueue" and do not grant "CreateTicket" you will see there are xx<br>
numbers of ticket in a Queue but not be able to create a ticket there.<br>
</blockquote></div>
Basically, the way I interpret this means that if I want my users to be able to create tickets via the web interface, I need to provide them with both "CreateTicket" and "SeeQueue".<br>
As a side effect, privileged users couldn't be prevented from seeing a list of other people's tickets (albeit not in details) in that queue if I want them to be able to create tickets in that same queue.<br>
<br>
Is my interpretation of what you write correct? It seems it's missing the effect of "ShowTicket", which allows the grantee to see the list of tickets.<br>
<br>
A couple of improvements that would be great to have in future are<br>
- bulk update of users (e.g. I imported all users as privileged, it turns out I wanted them unprivileged, I wish I could do it from within the interface rather than by scripting).<br>
- customising RT at a glance made simpler - I know you can create dashboards, still it seems not that flexible?<br>
<br>
<br>
Thanks again for your kind help and accurate explanation.<br>
<br>
Best regards,<div><div></div><div class="h5"><br>
Giuseppe<br>
<br>
<br>
<br>
<br>
<br>
-- <br>
____________________________________<br>
<br>
Giuseppe Sollazzo<br>
Senior Systems Analyst<br>
Computing Services<br>
Information Services<br>
St. George's, University Of London<br>
Cranmer Terrace<br>
London SW17 0RE<br>
<br>
Email: <a href="mailto:gsollazz@sgul.ac.uk" target="_blank">gsollazz@sgul.ac.uk</a><br>
Direct Dial: <a href="tel:%2B44%2020%208725%205160" value="+442087255160" target="_blank">+44 20 8725 5160</a><br>
Fax: <a href="tel:%2B44%2020%208725%203583" value="+442087253583" target="_blank">+44 20 8725 3583</a><br>
<br>
<br>
</div></div></blockquote></div><br>