<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><font face="Bitstream Vera Sans">Thanks for your answers. <br>
</font></p>
Before work on overlay to custom my rt setup, i have a question.<br>
<br>
Privileged users have a rights to search in all RT database. But in
my setup, some users are customers and they are grouping in RT
groups called by their compagny name. <br>
On the queues (called by compagny name too), the rights are applied
by using groups. <br>
<br>
So, why they are able to search in all queues. I supposed they are
restricted to search just on their queue.<br>
<br>
Thus, is it a mistake in my setup or RT have a security issue ? Is
it possible to limit the search instead of hide the search menu ?<br>
<br>
Thanks,<br>
Félix<br>
<br>
<div class="moz-cite-prefix">Le 04/01/2017 à 21:53, Martin Wheldon a
écrit :<br>
</div>
<blockquote
cite="mid:d369e8ec18a0e0e7c77eb026d3bcb635@mail.greenhills-it.co.uk"
type="cite">Hi,
<br>
<br>
If you are looking at modifying menus then the following will
help.
<br>
<br>
<a class="moz-txt-link-freetext" href="https://docs.bestpractical.com/rt/4.4.1/writing_extensions.html#Adding-and-Modifying-Menus">https://docs.bestpractical.com/rt/4.4.1/writing_extensions.html#Adding-and-Modifying-Menus</a><br>
<br>
Best Regards
<br>
<br>
Martin
<br>
<br>
On 2017-01-04 17:31, Alex Hall wrote:
<br>
<blockquote type="cite">I'm honestly not sure which file you want,
but my guess is
<br>
share/html/Elements/Tabs. In that file is a line that goes
something
<br>
like:
<br>
<br>
$search->child( users ...
<br>
<br>
If you wrap that bit in a conditional, checking that the active
user
<br>
is not a member of the group as I said in a previous message,
that
<br>
should do the job.
<br>
<br>
On Wed, Jan 4, 2017 at 12:21 PM, Felix Defrance
<a class="moz-txt-link-rfc2396E" href="mailto:felix@d2france.fr"><felix@d2france.fr></a>
<br>
wrote:
<br>
<br>
<blockquote type="cite">Le 04/01/2017 à 15:47, Alex Hall a écrit
:
<br>
<br>
On Wed, Jan 4, 2017 at 9:35 AM, Felix Defrance
<a class="moz-txt-link-rfc2396E" href="mailto:felix@d2france.fr"><felix@d2france.fr></a>
<br>
wrote:
<br>
<br>
Le 04/01/2017 à 15:10, Alex Hall a écrit :
<br>
<br>
Okay, searching users is the problem? I'm not sure, but what
about
<br>
an overlay that conditionally shows that part of page
templates? You
<br>
could create a group to which you'd assign any user you don't
want
<br>
viewing other users, then find the element that displays the
user
<br>
search and add a condition to return nothing if the user
belongs to
<br>
that group?
<br>
Yes, this is a part of the problem. The second, but not
important,
<br>
it's just for the look&feel, the ability to custom "Rt at
a glance"
<br>
by user groups.
<br>
<br>
For the first, I don't known how I can do " then find the
element
<br>
that displays the user search and add a condition to return
nothing
<br>
if the user belongs to that group"
<br>
</blockquote>
<br>
In one template, I was able to find this snippet to get the user
<br>
object:
<br>
<br>
my $user = $session{'CurrentUser'}->UserObj;
<br>
<br>
From there, I imagine you could check if the user is a member of
a
<br>
certain group. Then "return 0" or something like that to stop
the
<br>
element from loading. My Perl skills aren't worthy of being
called
<br>
skills in any way, and I've never tried something quite like
this, but
<br>
it's my first thought. Sorry I can't help more; hopefully a more
<br>
experienced user has a much simpler solution for you. :)
<br>
<br>
Do you know if the menu search come from :
<br>
rt/share/html/Dashboards/Elements/* ? Or from another file ?
<br>
<br>
I don't find documentation about these files and what are they
doing
<br>
:(
<br>
<br>
Thanks
<br>
<br>
<blockquote type="cite">On Wed, Jan 4, 2017 at 8:57 AM, Felix
Defrance <a class="moz-txt-link-rfc2396E" href="mailto:felix@d2france.fr"><felix@d2france.fr></a>
<br>
wrote:
<br>
<br>
Le 04/01/2017 à 14:02, Alex Hall a écrit :
<br>
<br>
Can you describe your setup more? I'm not sure why
unprivileged
<br>
users would need access to all queue tickets, or why each user
would
<br>
have their own queue? As I understand it, unprivileged users
are end
<br>
users (i.e. customers, those who don't work for your
organization).
<br>
Thus, they shouldn't be able to access an entire queue, only
tickets
<br>
they open. Make them privileged, and restrict their rights by
adding
<br>
them to a certain group, and your life may be a lot easier.
<br>
Yes! In the begining, that's what I tried to do. Restrict
<br>
privilieged users. But I didn't find how restrict the access
to the
<br>
SearchUser.
<br>
<br>
A member of a queue can search and view all users.
<br>
<br>
In my setup, a queue and group, are dedicated to a customer.
<br>
<br>
A customer should not be able to fetch other informations that
are
<br>
not inside of their queue. Thus, not be able to search all
user in
<br>
RT database..
<br>
<br>
Maybe, it's possible to limit the search function to their
queue or
<br>
desactivate the access to the menu search. Do you know about
that ?
<br>
<br>
Thanks,
<br>
<br>
For example, you might have a group called "basic users" to
which
<br>
you'd add the users you currently consider unprivileged. That
group
<br>
would have only a few rights, but since its members would be
<br>
privileged, you wouldn't run into RT's built-in restrictions.
<br>
<br>
As to one queue per user, that would quickly get hard to
manage.
<br>
Queues are for organizing tickets and users. Sure, a queue may
have
<br>
just one user, but each user shouldn't have their own queue.
Trying
<br>
to keep track of the rights of such a setup would be a
nightmare,
<br>
assuming you have a good amount of users. As an example, we
have
<br>
queues for technology, warehouse, customer service, and other
<br>
divisions within the company. Some queues have a lot of
people, some
<br>
have a few, butthey are all logical groupings of tasks. If I
made a
<br>
new queue for every user, I'd have dozens of them, and tickets
would
<br>
be all over the place! Plus, there's email to consider; if you
want
<br>
to accept incoming emails for ticket replies, you have to make
a new
<br>
Fetchmail or Postfix entry for every single user/queue you
have.
<br>
<br>
I hope this makes some sense. As I said, a lot of this depends
on
<br>
your usage pattern and setup concept. If you can explain that
to us
<br>
more, we might be able to help better.
<br>
<br>
On Wed, Jan 4, 2017 at 3:57 AM, Felix Defrance
<a class="moz-txt-link-rfc2396E" href="mailto:felix@d2france.fr"><felix@d2france.fr></a>
<br>
wrote:
<br>
<br>
Hello,
<br>
<br>
You right, this rights isn't checked.
<br>
<br>
But I can't view all tickets in selfservice anymore.
<br>
<br>
I verify the same rights in :
<br>
<br>
Admin > Queue, "select the queue name" and Group Rights,
select
<br>
and grant "unprivileged users" to Seequeue & Showtickets
<br>
<br>
In the same section:
<br>
<br>
grant group "compagny name" to Seequeue & Showtickets
<br>
<br>
But no effect.
<br>
<br>
I try to add a user to watchers 'CC', and grant watchers 'CC'
to
<br>
Seequeue & Showtickets but no effect too :(
<br>
<br>
Another ideas ?
<br>
<br>
Thanks,
<br>
<br>
Félix.
<br>
<br>
Le 03/01/2017 à 18:39, Alex Hall a écrit :
<br>
<br>
Have you granted the rights? In Admin > Global > Group
Rights,
<br>
select the "unprivileged users" tab, then grant "view queue".
That
<br>
should help, though our setup is quite different so I can't
verify
<br>
it.
<br>
<br>
On Tue, Jan 3, 2017 at 12:27 PM, Felix Defrance
<a class="moz-txt-link-rfc2396E" href="mailto:felix@d2france.fr"><felix@d2france.fr></a>
<br>
wrote:
<br>
<br>
Hi all,
<br>
<br>
I don't find how I could add ShowTickets or QueueList in
<br>
SelfService.
<br>
<br>
I want to allow my unprivileged users, grouped by company
name, to
<br>
see all tickets in their queue.
<br>
<br>
The group rights on the queue is correctly defined and users
could
<br>
access to the tickets by entring the ticket number in the
"goto
<br>
Ticket" field (top right in SelfService).
<br>
<br>
I have tried to play with CustomRole but it's not working for
me. So
<br>
anybody known how I can do it?
<br>
Thank you,
<br>
<br>
--
<br>
Félix Defrance
<br>
PGP: 0x0F04DC57
<br>
<br>
--
<br>
<br>
Alex Hall
<br>
Automatic Distributors, IT department
<br>
<a class="moz-txt-link-abbreviated" href="mailto:ahall@autodist.com">ahall@autodist.com</a>
<br>
</blockquote>
<br>
--
<br>
Félix Defrance
<br>
PGP: 0x0F04DC57
<br>
<br>
--
<br>
<br>
Alex Hall
<br>
Automatic Distributors, IT department
<br>
<a class="moz-txt-link-abbreviated" href="mailto:ahall@autodist.com">ahall@autodist.com</a>
<br>
<br>
--
<br>
Félix Defrance
<br>
PGP: 0x0F04DC57
<br>
<br>
--
<br>
<br>
Alex Hall
<br>
Automatic Distributors, IT department
<br>
<a class="moz-txt-link-abbreviated" href="mailto:ahall@autodist.com">ahall@autodist.com</a>
<br>
<br>
--
<br>
Félix Defrance
<br>
PGP: 0x0F04DC57
<br>
<br>
--
<br>
<br>
Alex Hall
<br>
Automatic Distributors, IT department
<br>
<a class="moz-txt-link-abbreviated" href="mailto:ahall@autodist.com">ahall@autodist.com</a>
<br>
<br>
--
<br>
Félix Defrance
<br>
PGP: 0x0F04DC57
<br>
<br>
--
<br>
<br>
Alex Hall
<br>
Automatic Distributors, IT department
<br>
<a class="moz-txt-link-abbreviated" href="mailto:ahall@autodist.com">ahall@autodist.com</a>
<br>
</blockquote>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Félix Defrance
PGP: 0x0F04DC57</pre>
</body>
</html>