<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Ok,
so I think I found the problem. Before I was here, they imported all of
the users from LDAP into the mysql database. I have created a new user in
AD, and logged into RT and everything works as expected: can only create a
ticket in the General Queue, and cannot pull up tickets other than its
own. So, I am about to blow away an account in RT (remember this is test
until everything is worked out, then we will migrate the database over from
RT3.8.4 to RT4.0.2 which sits on a different vm) and see what the repercussions
are. Removing the permissions from the unprivileged account, by going to
that account manually, did not correct the security issue, so deletion is the only
option I see. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>So
I have shredded the account…I can still see some history (when looking at
tickets I know the account was associated with), now I will recreate the
account. Can someone give me long-term repercussions of this?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Thanks,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Izz<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] <b>On Behalf Of </b>Izz
Abdullah<br>
<b>Sent:</b> Friday, October 07, 2011 8:39 AM<br>
<b>To:</b> rt-users@lists.bestpractical.com<br>
<b>Subject:</b> Re: [rt-users] skip the queue selection for unprivileged users<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>I
still have not found the problem…any other suggestions? I found
this below when running through sql.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] <b>On Behalf Of </b>Izz
Abdullah<br>
<b>Sent:</b> Thursday, October 06, 2011 11:41 AM<br>
<b>To:</b> rt-users@lists.bestpractical.com<br>
<b>Subject:</b> Re: [rt-users] skip the queue selection for unprivileged users<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>I
had already removed from the web ui all of the privileges I could find at the
group and queue level. Upon inspection in mySQL I find these oddities
which have ‘SeeQueue’ rights:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Groups
Table:<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>5
| | Pseudogroup for internal use | SystemInternal
| Unprivileged | 0 |
0 | NULL
| 0 |
NULL <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>4
| | Pseudogroup for internal use | SystemInternal
| Privileged | 0
| 0 | NULL
| 0 |
NULL <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>52233
| User 52232 | ACL equiv. for user 52232 | ACLEquivalence | UserEquiv
| 52232 | 0 |
NULL
| 0 |
NULL <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>25
| User 24 | ACL equiv. for user 24 | ACLEquivalence | UserEquiv |
24 | 0 | NULL
| 0 |
NULL <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Can
anyone explain this? Or was there some odd inventions in the database before I
came in and started the migration? </span><span style='font-size:11.0pt;
font-family:Wingdings'>J</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com]
<b>On Behalf Of </b>Kenneth Crocker<br>
<b>Sent:</b> Thursday, October 06, 2011 10:38 AM<br>
<b>To:</b> rt-users@lists.bestpractical.com<br>
<b>Subject:</b> Re: [rt-users] skip the queue selection for unprivileged users<o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>Izz,<br>
<br>
check out what rights you have granted at the Queue level. Go to each Queue and
see what you did. Any of them could have granted "SeeQueue" and
"CreateTicket" granted to Everyone or unprivileged.<br>
<br>
Kenn<br>
LBNL<o:p></o:p></p>
<div>
<p class=MsoNormal>On Thu, Oct 6, 2011 at 8:04 AM, Izz Abdullah <<a
href="mailto:Izz.Abdullah@hibbett.com">Izz.Abdullah@hibbett.com</a>> wrote:<o:p></o:p></p>
<p class=MsoNormal>Interesting...I have 26 rows, all principal types of group.
Of that, there are 9 unique principal ids. If I add the 3 system
groups and our 6 user groups, we have 9. Thanks for the sql...I'll look
around and see why these have that right, where it came from, and I'll post
back.<o:p></o:p></p>
<div>
<p class=MsoNormal><br>
-----Original Message-----<br>
From: <a href="mailto:ruslan.zakirov@gmail.com">ruslan.zakirov@gmail.com</a>
[mailto:<a href="mailto:ruslan.zakirov@gmail.com">ruslan.zakirov@gmail.com</a>]
On Behalf Of Ruslan Zakirov<o:p></o:p></p>
</div>
<div>
<div>
<p class=MsoNormal>Sent: Thursday, October 06, 2011 9:49 AM<br>
To: Izz Abdullah<br>
Cc: <a href="mailto:rt-users@lists.bestpractical.com">rt-users@lists.bestpractical.com</a><br>
Subject: Re: [rt-users] skip the queue selection for unprivileged users<br>
<br>
Hi,<br>
<br>
Unprivileged users still can be in some groups. Use SELECT * FROM ACL<br>
WHERE RightName = 'SeeQueue'; This may give you a clue.<br>
<br>
On Thu, Oct 6, 2011 at 3:59 PM, Izz Abdullah <<a
href="mailto:Izz.Abdullah@hibbett.com">Izz.Abdullah@hibbett.com</a>> wrote:<br>
> That is what I thought, but I can only 'see' the privileged users in the
web UI since we are using LDAP authentication. So if I go instead to
Tools->Configuration->Global->Group Rights, I have already removed the
rights for 'Everyone' and 'Unprivileged'. These two groups have no rights
at all at the global level. The user groups we have defined are limited
to privileged users, so this is why I am stumped removing the rights hasn't
solved my problem.<br>
><br>
> -----Original Message-----<br>
> From: <a href="mailto:ruslan.zakirov@gmail.com">ruslan.zakirov@gmail.com</a>
[mailto:<a href="mailto:ruslan.zakirov@gmail.com">ruslan.zakirov@gmail.com</a>]
On Behalf Of Ruslan Zakirov<br>
> Sent: Thursday, October 06, 2011 8:54 AM<br>
> To: Izz Abdullah<br>
> Cc: <a href="mailto:rt-users@lists.bestpractical.com">rt-users@lists.bestpractical.com</a><br>
> Subject: Re: [rt-users] skip the queue selection for unprivileged users<br>
><br>
> Hi,<br>
><br>
> Then SeeQueue and CreateTicket is granted to too many users.<br>
><br>
> On Thu, Oct 6, 2011 at 3:44 PM, Izz Abdullah <<a
href="mailto:Izz.Abdullah@hibbett.com">Izz.Abdullah@hibbett.com</a>> wrote:<br>
>> So I have removed all the rights from a 3.8.4 migrated database into
4.0.2<br>
>> for unprivileged users on all queues except the ‘General’
queue. I also<br>
>> have set in the SiteConfig file the DefaultQueue to
“General”, but<br>
>> unprivileged users still receive a screen for ‘Queue
selection’ when<br>
>> creating a new ticket, AND it allows them to create tickets in queues
other<br>
>> than the General queue.<br>
>><br>
>><br>
>><br>
>> I am a bit stumped on this. If I have removed the permissions,
why can<br>
>> unprivileged users still see and create tickets in other queues?<br>
>><br>
>><br>
>><br>
>> We have, for example Queue1, Queue2, Queue3, etc.<br>
>><br>
>> I don’t want them to see or access Queue1 – QueueN, but
ONLY the General<br>
>> Queue.<br>
>><br>
>> --------<br>
>> RT Training Sessions (<a
href="http://bestpractical.com/services/training.html" target="_blank">http://bestpractical.com/services/training.html</a>)<br>
>> * San Francisco, CA, USA — October 18 & 19, 2011<br>
>> * Washington DC, USA — October 31 & November 1, 2011<br>
>> * Barcelona, Spain — November 28 & 29, 2011<br>
>><br>
><br>
><br>
><br>
> --<br>
> Best regards, Ruslan.<br>
> --------<br>
> RT Training Sessions (<a
href="http://bestpractical.com/services/training.html" target="_blank">http://bestpractical.com/services/training.html</a>)<br>
> * San Francisco, CA, USA October 18 & 19, 2011<br>
> * Washington DC, USA October 31 & November 1, 2011<br>
> * Barcelona, Spain November 28 & 29, 2011<br>
<br>
<br>
<br>
--<br>
Best regards, Ruslan.<br>
--------<br>
RT Training Sessions (<a href="http://bestpractical.com/services/training.html"
target="_blank">http://bestpractical.com/services/training.html</a>)<br>
* San Francisco, CA, USA October 18 & 19, 2011<br>
* Washington DC, USA October 31 & November 1, 2011<br>
* Barcelona, Spain November 28 & 29, 2011<o:p></o:p></p>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>