[rt-users] Reset all ACLs to something sensible
Kenneth Crocker
KFCrocker at lbl.gov
Tue May 2 12:46:05 EDT 2006
Philip Kime wrote:
> Greetings,
> I have an "organically grown" RT system with a rat's nest of a
> rights matrix. I want to clean this out and start again. I have
> designed and tested a new set of rights for everyone but I'm wondering
> as to the best way of getting this implemented. I have the luxury of a
> development box that I can load snapshots of production onto. I can
> see the following possibilities:
>
> * Dump PROD onto DEV, change things, dump ACL table on DEV and import
> to PROD. But this means PROD has to remain static while this is done
> otherwise horrible things will happen because of changes to table
> indices etc. I can't see PROD not being used while this is done so I
> doubt I can do this.
> * Manually altering all the PROD ACLs. Will take hours. Horrible but safe.
> * Some sort of API on top of SQL like the rt command line to remove,
> replace and re-define rights?
> * Manual SQL stuff. Shudder.
>
> Any ideas?
>
> --
> Philip Kime
> NOPS Systems Architect
> 310 401 0407
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
>
>
> We're hiring! Come hack Perl for Best Practical: http://bestpractical.com/about/jobs.html
Philip,
Why go to such trouble? If you have a test system of the same
version as prod, just create a Queue, create a group, create a person or
two and start playing with the rights. Hint. Try to keep the individual
stuff to a minimum. By having people in groups (except maybe the
Admincc) you don't have to keep defining rights for people. The only
system group right we have is seeoutgoingmail. The only system group
right for groups is creating/saving, etc. search queries. For the
AdminCc, we give him the individual right to see configtab. everything
else is in groups and roles. We have created a few extra scrips for our
approval Queue (1 Queue that handles approvals for about 12 queues that
belong to the same group manager). But, keep playing with it until you
know what these rights do. Check out the WIKI on rights and privileges.
Kenn
More information about the rt-users
mailing list