[rt-users] 3.6.0rc3: giving groups modification rights on members of other groups?

Jesse Vincent jesse at bestpractical.com
Thu Jun 1 15:42:25 EDT 2006




On Thu, Jun 01, 2006 at 12:05:07PM -0600, Ole Craig wrote:
> On Thu, 2006-06-01 at 13:43 -0400, Jesse Vincent wrote:
> > 
> > 
> > On Thu, Jun 01, 2006 at 11:33:18AM -0600, Ole Craig wrote:
> > >         Is it possible for a user-defined group to get the "AdminUser"
> > > right but only for selected users? i.e. I've got a U-D group "support".
> > > I'd like members of the Support group to be able to modify user
> > > information for unprivileged users, but not for members of other
> > > user-defined groups.
> > >
> > 
> > Sorry. That's not currently possible.
> 
>         Urk. That's... dismaying. Has anyone ever asked before? I
> couldn't find anything in the archives, but it seems like an obvious
> "want" feature to me, in that I'd like my support staff brethren to be
> able to add notes about particular customers and update phone numbers
> and such, but I don't want them to modify the user records for the
> executive team (for instance.)

You're welcome to have your money back ;) Seriously, though, it's a
feature that I'd find useful, but isn't something we've ever _needed_ in
house or at any customer site. If you hack it together in a way that
would be a sane RT core change, it's something I'd be happy to see in a
future release.

>         In re-reading my screed I realize that my logic was overly
> fuzzified during verbalization: support staff should be able to modify
> the user record of any member of a particular group (regardless of that
> user's other group memberships) as long as the support group has been
> given the appropriate rights for the target group. 


It was clear. More often, I see this requirement as "Customer service
should be able to modify user attributes for unprivileged users. Your
description is a reasonable generalization.

>         Given the immediacy and brevity of Jesse's answer, I suspect
> that's a distinction that fails to make a difference, but clearer logic
> is always useful. Particularly since I may have to try and hack the
> functionality in somehow, so I'm attempting to flesh out the equivalence
> cases...

The brevity was actually likely due to the fact that I'm crunching on
way too many things but still want to be at least marginally useful to
the community. It seemed like I could give you a "nope, it's not there".
I didn't mean it to sound abrasive. Sorry if I did. 

	Best,
	Jesse





> -- 
> /Ole Craig
> Security Engineer
> 
> 303-381-3802 (main support hotline)
> 303-381-3824 (my direct line)
> 303-381-3801 (fax)
> 
> www.stillsecure.com
> . . .
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
> 
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
> 
> 
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
> Buy a copy at http://rtbook.bestpractical.com
> 
> 
> We're hiring! Come hack Perl for Best Practical: http://bestpractical.com/about/jobs.html
> 

-- 



More information about the rt-users mailing list