[rt-users] Modify without ModifyTicket?

Kenneth Crocker KFCrocker at lbl.gov
Fri Dec 7 13:16:58 EST 2007


Christopher,

	Custom Fields for "tickets" have two areas where privileges can be 
granted and both should be looked at and set. Navigate thus 
Configuration>CustomFields>(select field)>Applies To. This will tell you 
which queues are using it on their tickets. If a user/group member 
doesn't have rights to that queue, they won't be able to see/modify a 
ticket their, let alone see/modify any CF's that are applied. Also, even 
if a group HAS the right to see/modify a queue/ticket AND have the 
rights to see/modify a CF, if the CF isn't applied to the queue where 
that particular group has access, it cannot be seen/modified. Now, 
navigate thus, Configuration>CustomFields>(select field)>Group rights. 
This will tell you who can do what to this particular CF on the basis of 
System/User defined groups, IF that CF has been applied to the queue 
where they want to see/modify it. Notice their are no roles listed. 
That's because ticket CF's do not relate to owner's or requestors, etc. 
They relate to Queue/Tickets only. Now, the privilege "AdminCustomField" 
means that a particular user/group can change the way the CF is set 
up,like add values, change sort sequences, type (select one value, Fill 
in one text, etc.), description, etc. This right should be reserved for 
the Admin person, the one in charge of the RT system. Otherwise, you 
might end up with one person updating another person's CF and you get 
all kinds of trouble from that.
	So, basically (in a general way), a CF should be setup by Admin types 
(System and/or Queue) and the see/modify privileges should be given to 
the user groups that have access to the queues WHERE the CF is applied.
	I like your setup of granting the Global right "ReplToTicket" to all 
Privileged Users and having everything else on the group basis. It's 
simpler and easier to maintain. You might want to add the following 
rights to all Privileged users as well; "CreateSavedSearch", 
"EditSavedSearches", "LoadSavedSearch", "ShowSavedSearches", and 
"ModifySelf". This will allow these privileges ONLY if they are in a 
group that has rights ("SeeGroup", "ShowTicket") to a queue. That way 
you don't have to grant those rights more often on a group basis, etc.
	For those people with limited rights (comment, etc.) as a group to a 
queue, that group should NOT have "ModifyCustomField" rights to that CF. 
Hope this helps.


Kenn
LBNL

On 12/6/2007 5:22 PM, Christopher Short wrote:
> Thanks Kenneth, I hadn't heard of RTx::RightsMatrix before, I'll give it a go.
> 
> However, I don't have any (additional) rights for owners on that group or globally. In our system all Privileged users have ReplyTicket, everything else is on a Group basis.
> 
> Hmmm maybe I added custom fields with global privileged modify access. Aha!
> (But the original problem was the "worked" field which seems like a loophole in RT, people with Comment rights can edit several fields on the Comment screen, including Worked)
> cheers,
> Christopher
> 
> -----Original Message-----
> From: Kenneth Crocker [mailto:KFCrocker at lbl.gov]
> Sent: Friday, December 07, 2007 4:52 AM
> To: Christopher Short
> Cc: rt-users at lists.bestpractical.com
> Subject: Re: [rt-users] Modify without ModifyTicket?
> 
> Christopher,
> 
>         What rights have you given the role "owner" both globally and for that
> queue? CommentOnTicket allows modification ONLY to the comments part of
> a ticket, not the status or dates, etc. Do you have RightsMatrix? That
> will help a great deal in finding out "who" can do "what" and "where"
> and thru what rights. You could have inadvertently granted some rights
> thru "fall-thru" inclusion to rights for roles. Hope this helps.
> 
> 
> Kenn
> LBNL
> 
> On 12/5/2007 11:06 PM, Christopher Short wrote:
>> Hi,
>>
>> I have users who can modify tickets in a queue that I didn't expect.
>>
>>
>>
>> All those users are are assigned to just one group with these
>> permissions on the queue:
>>
>>
>>
>> CommentOnTicket
>> OwnTicket
>> SeeQueue
>> ShowTicket
>> ShowTicketComments
>>
>>
>>
>> The only other thing that applies to them is the Everybody group with
>> ReplyTicket. Privileged has no added rights.
>>
>>
>>
>> Is ModifyTicket implied by OwnTicket? I've seen comments that imply that
>> it isn't.
>>
>>
>>
>> Christopher
>>
>> (RT 3.6.1)
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>
>> SAVE THOUSANDS OF DOLLARS ON RT SUPPORT:
>>
>> If you sign up for a new RT support contract before December 31, we'll take
>> up to 20 percent off the price. This sale won't last long, so get in touch today.
>>     Email us at sales at bestpractical.com or call us at +1 617 812 0745.
>>
>>
>> Community help: http://wiki.bestpractical.com
>> Commercial support: sales at bestpractical.com
>>
>>
>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
>> Buy a copy at http://rtbook.bestpractical.com
> 
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
> 
> SAVE THOUSANDS OF DOLLARS ON RT SUPPORT:
> 
> If you sign up for a new RT support contract before December 31, we'll take
> up to 20 percent off the price. This sale won't last long, so get in touch today. 
>     Email us at sales at bestpractical.com or call us at +1 617 812 0745.
> 
> 
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
> 
> 
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
> Buy a copy at http://rtbook.bestpractical.com
> 




More information about the rt-users mailing list