[rt-users] ModifyCustomField conundrum

[Gary Hall]

I'm running RT-3.6.1.

I have separate queues for individual departments.

I have the following requirements:

1. As far as possible, members of the administrator groups in the
individual departments should be able to manage their own queues
and groups.

2. As far as possible, administrators and ticket handlers in the
individual departments should not be able to affect anything outside
their own queues and groups.

3. All administrators, no matter what department they belong to,
should be able to see but not modify another department's queues
(unless the other department objects).

I have things working more or less as I want them. The only glitch
is Custom Fields for tickets. AFAICT, ModifyCustomField can be granted
only at the global level or at the field level. Neither scenario is
ideal.

If the privilege is granted to ticket handlers at the global level,
they are able to change the value of custom fields in other
departments' tickets, violating requirement 3.

If the privilege is to be granted at the field level by departmental
administators, they require ModifyACL at the global level, violating
requirement 3.

If the privilege is to be granted at the field level by a high
level administrator (e.g., moi), departmental administrators will
not be able to add a custom field without help, violating principle 1.

Am I missing something?

-- 
Gary Hall hall at fas.sfu.ca   | Voice (604) 291-5925
Faculty of Applied Sciences | Fax   (604) 291-5404
Simon Fraser University     |
Burnaby, B.C.  V5A 1S6      |