<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>I
still have not found the problem…any other suggestions? I found
this below when running through sql.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] <b>On Behalf Of </b>Izz
Abdullah<br>
<b>Sent:</b> Thursday, October 06, 2011 11:41 AM<br>
<b>To:</b> rt-users@lists.bestpractical.com<br>
<b>Subject:</b> Re: [rt-users] skip the queue selection for unprivileged users<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>I
had already removed from the web ui all of the privileges I could find at the
group and queue level. Upon inspection in mySQL I find these oddities
which have ‘SeeQueue’ rights:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Groups
Table:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>5
| | Pseudogroup for internal use | SystemInternal
| Unprivileged | 0 |
0 | NULL
| 0 |
NULL <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>4
| | Pseudogroup for internal use | SystemInternal
| Privileged | 0
| 0 | NULL
| 0 |
NULL <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>52233
| User 52232 | ACL equiv. for user 52232 | ACLEquivalence | UserEquiv
| 52232 | 0 |
NULL
| 0 |
NULL <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>25
| User 24 | ACL equiv. for user 24 | ACLEquivalence | UserEquiv
| 24 |
0 | NULL
| 0 |
NULL <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Can
anyone explain this? Or was there some odd inventions in the database before I
came in and started the migration? </span><span style='font-size:11.0pt;
font-family:Wingdings'>J</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] <b>On Behalf Of </b>Kenneth
Crocker<br>
<b>Sent:</b> Thursday, October 06, 2011 10:38 AM<br>
<b>To:</b> rt-users@lists.bestpractical.com<br>
<b>Subject:</b> Re: [rt-users] skip the queue selection for unprivileged users<o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>Izz,<br>
<br>
check out what rights you have granted at the Queue level. Go to each Queue and
see what you did. Any of them could have granted "SeeQueue" and
"CreateTicket" granted to Everyone or unprivileged.<br>
<br>
Kenn<br>
LBNL<o:p></o:p></p>
<div>
<p class=MsoNormal>On Thu, Oct 6, 2011 at 8:04 AM, Izz Abdullah <<a
href="mailto:Izz.Abdullah@hibbett.com">Izz.Abdullah@hibbett.com</a>> wrote:<o:p></o:p></p>
<p class=MsoNormal>Interesting...I have 26 rows, all principal types of group.
Of that, there are 9 unique principal ids. If I add the 3 system
groups and our 6 user groups, we have 9. Thanks for the sql...I'll look
around and see why these have that right, where it came from, and I'll post
back.<o:p></o:p></p>
<div>
<p class=MsoNormal><br>
-----Original Message-----<br>
From: <a href="mailto:ruslan.zakirov@gmail.com">ruslan.zakirov@gmail.com</a>
[mailto:<a href="mailto:ruslan.zakirov@gmail.com">ruslan.zakirov@gmail.com</a>]
On Behalf Of Ruslan Zakirov<o:p></o:p></p>
</div>
<div>
<div>
<p class=MsoNormal>Sent: Thursday, October 06, 2011 9:49 AM<br>
To: Izz Abdullah<br>
Cc: <a href="mailto:rt-users@lists.bestpractical.com">rt-users@lists.bestpractical.com</a><br>
Subject: Re: [rt-users] skip the queue selection for unprivileged users<br>
<br>
Hi,<br>
<br>
Unprivileged users still can be in some groups. Use SELECT * FROM ACL<br>
WHERE RightName = 'SeeQueue'; This may give you a clue.<br>
<br>
On Thu, Oct 6, 2011 at 3:59 PM, Izz Abdullah <<a
href="mailto:Izz.Abdullah@hibbett.com">Izz.Abdullah@hibbett.com</a>> wrote:<br>
> That is what I thought, but I can only 'see' the privileged users in the
web UI since we are using LDAP authentication. So if I go instead to Tools->Configuration->Global->Group
Rights, I have already removed the rights for 'Everyone' and 'Unprivileged'.
These two groups have no rights at all at the global level. The
user groups we have defined are limited to privileged users, so this is why I am
stumped removing the rights hasn't solved my problem.<br>
><br>
> -----Original Message-----<br>
> From: <a href="mailto:ruslan.zakirov@gmail.com">ruslan.zakirov@gmail.com</a>
[mailto:<a href="mailto:ruslan.zakirov@gmail.com">ruslan.zakirov@gmail.com</a>]
On Behalf Of Ruslan Zakirov<br>
> Sent: Thursday, October 06, 2011 8:54 AM<br>
> To: Izz Abdullah<br>
> Cc: <a href="mailto:rt-users@lists.bestpractical.com">rt-users@lists.bestpractical.com</a><br>
> Subject: Re: [rt-users] skip the queue selection for unprivileged users<br>
><br>
> Hi,<br>
><br>
> Then SeeQueue and CreateTicket is granted to too many users.<br>
><br>
> On Thu, Oct 6, 2011 at 3:44 PM, Izz Abdullah <<a
href="mailto:Izz.Abdullah@hibbett.com">Izz.Abdullah@hibbett.com</a>> wrote:<br>
>> So I have removed all the rights from a 3.8.4 migrated database into
4.0.2<br>
>> for unprivileged users on all queues except the ‘General’
queue. I also<br>
>> have set in the SiteConfig file the DefaultQueue to
“General”, but<br>
>> unprivileged users still receive a screen for ‘Queue
selection’ when<br>
>> creating a new ticket, AND it allows them to create tickets in queues
other<br>
>> than the General queue.<br>
>><br>
>><br>
>><br>
>> I am a bit stumped on this. If I have removed the permissions,
why can<br>
>> unprivileged users still see and create tickets in other queues?<br>
>><br>
>><br>
>><br>
>> We have, for example Queue1, Queue2, Queue3, etc.<br>
>><br>
>> I don’t want them to see or access Queue1 – QueueN, but
ONLY the General<br>
>> Queue.<br>
>><br>
>> --------<br>
>> RT Training Sessions (<a
href="http://bestpractical.com/services/training.html" target="_blank">http://bestpractical.com/services/training.html</a>)<br>
>> * San Francisco, CA, USA — October 18 & 19, 2011<br>
>> * Washington DC, USA — October 31 & November 1, 2011<br>
>> * Barcelona, Spain — November 28 & 29, 2011<br>
>><br>
><br>
><br>
><br>
> --<br>
> Best regards, Ruslan.<br>
> --------<br>
> RT Training Sessions (<a
href="http://bestpractical.com/services/training.html" target="_blank">http://bestpractical.com/services/training.html</a>)<br>
> * San Francisco, CA, USA October 18 & 19, 2011<br>
> * Washington DC, USA October 31 & November 1, 2011<br>
> * Barcelona, Spain November 28 & 29, 2011<br>
<br>
<br>
<br>
--<br>
Best regards, Ruslan.<br>
--------<br>
RT Training Sessions (<a href="http://bestpractical.com/services/training.html"
target="_blank">http://bestpractical.com/services/training.html</a>)<br>
* San Francisco, CA, USA October 18 & 19, 2011<br>
* Washington DC, USA October 31 & November 1, 2011<br>
* Barcelona, Spain November 28 & 29, 2011<o:p></o:p></p>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>