[rt-users] Reset all ACLs to something sensible

Kenneth Crocker KFCrocker at lbl.gov
Tue May 2 12:46:05 EDT 2006


Philip Kime wrote:
> Greetings,
>    I have an "organically grown" RT system with a rat's nest of a 
> rights matrix. I want to clean this out and start again. I have 
> designed and tested a new set of rights for everyone but I'm wondering 
> as to the best way of getting this implemented. I have the luxury of a 
> development box that I can load snapshots of production onto. I can 
> see the following possibilities:
>  
> * Dump PROD onto DEV, change things, dump ACL table on DEV and import 
> to PROD. But this means PROD has to remain static while this is done 
> otherwise horrible things will happen because of changes to table 
> indices etc. I can't see PROD not being used while this is done so I 
> doubt I can do this.
> * Manually altering all the PROD ACLs. Will take hours. Horrible but safe.
> * Some sort of API on top of SQL like the rt command line to remove, 
> replace and re-define rights?
> * Manual SQL stuff. Shudder.
>  
> Any ideas?
>  
> --
> Philip Kime
> NOPS Systems Architect
> 310 401 0407
>  
> ------------------------------------------------------------------------
>
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
> Buy a copy at http://rtbook.bestpractical.com
>
>
> We're hiring! Come hack Perl for Best Practical: http://bestpractical.com/about/jobs.html
Philip,

    Why go to such trouble? If you have a test system of the same 
version as prod, just create a Queue, create a group, create a person or 
two and start playing with the rights. Hint. Try to keep the individual 
stuff to a minimum. By having people in groups (except maybe the 
Admincc) you don't have to keep defining rights for people. The only 
system group right we have is seeoutgoingmail. The only system group 
right for groups is creating/saving, etc. search queries. For the 
AdminCc, we give him the individual right to see configtab. everything 
else is in groups and roles. We have created a few extra scrips for our 
approval Queue (1 Queue that handles approvals for about 12 queues that 
belong to the same group manager). But, keep playing with it until you 
know what these rights do. Check out the WIKI on rights and privileges.

Kenn



More information about the rt-users mailing list