<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} @font-face
{font-family:"Cambria Math"}
@font-face
{font-family:Calibri}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif"}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline}
span.EstiloCorreo17
{font-family:"Calibri","sans-serif";
color:windowtext}
.MsoChpDefault
{font-family:"Calibri","sans-serif"}
@page WordSection1
{margin:70.85pt 3.0cm 70.85pt 3.0cm}--></style>
</head>
<body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>I did some progress; let's see if that rings a bell:<br>
</p>
<p>Granting the right 'ShowTicket' globally to the role requestor, got me to the behavior I was looking for (But... thats not the solution I want)<br>
</p>
<p><br>
</p>
<p>More exactly:</p>
<p>Having Global requestor role WITH 'ShowTicket', Queue specific requestor role WITH 'ShowTicket' & Queue specific user group 'restricted' WITHOUT 'ShowTicket', would result in the user only being able to see those tickets for which he is requestor; similarly,
only those tickets would be returned in a REST API search.</p>
<p>But, as I already said, having Global requestor role WITHOUT 'ShowTicket', Queue specific requestor role WITH 'ShowTicket' & Queue specific user group 'restricted' WITHOUT 'ShowTicket', would result in the user not being able to see any ticket in the queue;
not even those for which he is requestor.</p>
<p><br>
</p>
<p>So, considering the following "right layers" in this case:</p>
<p>1. Global rights</p>
<p>2. Queue role rights</p>
<p>3. Queue user group rights</p>
<p>Is the queue specific user group rights configuration overriding the same queue role rights configuration¿ IE: is the queue user group NOT having the 'ShowTicket' overriding the queue role having it?<br>
</p>
<p><br>
</p>
<p>If so, how could I implement this configuration Im looking for without having to grant that right globally to the requestor role? I would certainly preffer not having to do that.<br>
</p>
<p class="MsoNormal"><span style="font-family:'Segoe UI','sans-serif'; color:rgb(105,142,0); font-size:10pt" lang="EN"><br>
</span></p>
<div id="Signature">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px"></div>
</div>
</div>
<div style="color: rgb(33, 33, 33);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" color="#000000" face="Calibri, sans-serif"><b>De:</b> Oriol Soriano<br>
<b>Enviado:</b> martes, 19 de agosto de 2014 16:46<br>
<b>Para:</b> rt-users@lists.bestpractical.com<br>
<b>Asunto:</b> Refine users ticket visibility: view only OWN tickets</font>
<div> </div>
</div>
<div>
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">Hi,</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">We have been using RT for a few years. In our current RT setup (version 4.2.2), for every one of our customers we create a ticket queue and a user group. Then, in that user group, we grant rights for that specific queue
to enable our customer users to: ‘CreateTicket’, ‘ReplyToTicket’, ‘SeeQueue’ and ‘ShowTicket’. Customer users belonging to these groups remain as unprivileged users. We have separate user groups for our own staff (staff users are privileged).</span></p>
<p class="MsoNormal"><span lang="EN-US">Our aim is mainly to prevent a group of customers having visibility of other customer groups tickets and, also, for easier management of scrips, etc .
</span></p>
<p class="MsoNormal"><span lang="EN-US">Additionally – and this is important -, we rely on the REST API to provide customers with ticket lists, searches and integration with some of our services through our web portal. As an effect of that, customers never
get to interact with the RT gui.</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">Now, what we would need to implement is a more fine visibility configuration: More concretely, SOME of our customer users (‘restricted’ users) should ONLY be able to see those tickets in which they have the roles ‘cc’
or ‘requestor’.</span></p>
<p class="MsoNormal"><span lang="EN-US">And at the same time, when they perform a search through the REST API, only the tickets for which they are requestor or cc should be returned (this one is important).</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">To do so, my approach was: </span></p>
<p class="MsoNormal"><span lang="EN-US">While now we create one single group for every queue, create two groups instead: one with restricted rights and another with the rights we have been usually granting the users with.</span></p>
<p class="MsoNormal"><span lang="EN-US">The ‘restricted’ user group would have no ‘ShowTicket’ right; as a result, their searches would return empty. But, that combined with having the right ‘ShowTicket’ granted to the requestor and cc roles, I guessed that
would enable users to see the tickets for which they are requestor/cc, and get ONLY these tickets returned on their searches through REST API.</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">The problem is that, although I have tried quite a few tweaks around this on devel env (configuring customer users as privileged, for instance), I cannot get this behavior to work.
</span></p>
<p class="MsoNormal"><span lang="EN-US">The result is that, if I grant ‘ShowTicket’ right to the ‘restricted’ user group, they see ALL the tickets in the queue; if I don’t, they see none (same goes for ticket search results). For some reason, its like its ignoring
the rights I had expected to be granted to the user via the roles ‘requestor’ and ‘cc’ (as I already mentioned, these roles DO have ‘ShowTicket’ right).</span></p>
<p class="MsoNormal"><span lang="EN-US">Indeed, I really feel to be missing something here.</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">In the mean time, I have also started to explore the possibility of having to add a custom right for this behavior. So following the info I found at the RT wiki, I have already defined a ‘SeeOwnTickets’ right in the Queue_Local.pm
file. </span></p>
<p class="MsoNormal"><span lang="EN-US">But in the scenario of having to solve this via this solution, I would really appreciate some guidance on in which parts of RT code should I add the auth for this (considering our users only interact via the REST API).</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">I have already spent some time working on this; any help/guidance would be certainly appreciated.</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">Thanks in advance,</span></p>
<p class="MsoNormal"><span lang="EN-US">Oriol Soriano.</span></p>
<p class="MsoNormal"><span lang="EN-US"></span></p>
<p class="MsoNormal"><span lang="EN-US">PS: Yes, I have read <a href="http://requesttracker.wikia.com/wiki/Rights">
http://requesttracker.wikia.com/wiki/Rights</a> and other areas of the wiki about this topic</span></p>
<p class="MsoNormal"><span lang="EN-US">PS2: I have also searched for this on the user list. Although I did find some answers and tried a few suggestions, I was not able to fully get my desired config to work.</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
</div>
</div>
</body>
</html>