[rt-users] Rights, rights, rights...

Kenneth Crocker KFCrocker at lbl.gov
Thu Feb 7 14:00:04 EST 2008


Jean-Sebastien,


	It looks better, that's for sure. Let me show what I have, with an 
explanation for why, and you can take it from there, Obviously, every 
installation will have it's different infrastructure needs, but on the 
whole, what I'm doing and (more importantly) WHY will provide more 
instruction and understanding of how these rights work. I'm absolutely 
sure that anyone who has used RT with more than 10 queues (especially 
for technical support) for more than a couple years would be able to 
show you the same stuff as I'm about to. Here we go:

Global Rights:
	1. Everyone: none. We only allow privileged users to use our system and 
anyone with an LDAP userID and password can sign on and become one.
	2. Privileged: "CreateSavedSearch", "EditSavedSearch", 
LoadSavedSearch", "ShowSavedSearch", and "ModifySelf". With the 
exception of "ModifySelf", these rights get (to use your term) INHERITED 
the moment a user has the rights to see tickets in a queue. Rather than 
setting up these rights at the queue level for specific groups or roles, 
I did it once at the Global level because without the rights to see 
tickets at the queue level, they are meaningless. That way, I can focus 
on ticket rights at the queue level without adding search rights. 
"ModifySelf" is required for us because we want people (LDAP) to be able 
to sign-in themselves and this right allows that within our "AutoCreate" 
set up.
	3. Unprivileged: none. This entity does not exist in our system.

Roles:
	1. AdminCc: We use the AdminCc as a "Queue Manager". So there are some 
rights we grant globally because it would be redundant at the queue 
level and some at the queue level for security reasons. For example, if 
we granted "ModifyTicket" for the AdminCc at the Global level, then this 
person could modify a ticket in a queue they do NOT manage.
	"AdminGroupMembership" - we allow our Queue managers to add users to 
any group they see fit. It's based on their own need and that way I 
don't have to go around adding users to groups all the time. Let them do 
the work.
	"AssighCustomFields" - we grant this right because we don't want Tom, 
Dick, and Harry creating a bunch of misnamed, misused, redundant Custom 
Fields and then have to undo the mess. This allows the AdminCc to see 
any and all Custom Fields and use what they need for their queue.
	"DelegateRights" - we grant this right because it allows the AdminCc to 
"grant" rights (up to and only those granted TO the AdminCc) to groups 
that will be accessing that particular queue.
	"ModifyACL" - This allows the AdminCc to modify any ACL (Access Control 
List) that they create.
	"ModifyOwnMembership" - allows modification of membership of any group.
	"SeeGroup" - We want all Queue managers/AdminCc's to see all groups. 
They may need to give one rights to their queue and I don't want to have 
to do it.
	"ShowConfigTab" - AHA! This is the right that saves me time as it 
allows our Queue Managers to do some of this work (i.e. 
AdminGroupMembership).
	"ShowScrips" - We want our Queue Managers to know what's scrips are 
blobal and that way they can use them as examples for any "queue-level" 
scrip they want to add to their own queue.
	"ShowTemplate" - same as above.
	"WatchAsAdminCc" - This gives the right to add oneself as an "AdminCc" 
of any ticket and therefore receive any correspondence that is normally 
sent to AdminCc's due to scrips for tickets in that queue. Although this 
seems like it should be at the queue level, we grant the AdminCc a 
certain amount of freedom. Let's say they are interested in a ticket 
they depend on, but is NOT in their queue. They may want to see the 
correspondence going on for that ticket.
	2. CC: For us, a CC is an "interested" party that wants to receive 
communication of what's going on in a queue.
	"ReplyToTicket" - this allows all CC's for all queues to reply to any 
correspondence that is sent to them, regardless of queue. Usually, they 
only get the correspondence for the queue they are listed as CC for, so 
there's no problem. However, if they are listed as a CC on a ticket in a 
different queue and received email from a ticket, they could now reply.
	"SeeQueue" - the CC can look at what tickets are in the queue via 
WebUI. By making this right global, it is "inherited" by the CC listed 
as a CC watcher for a queue.
	"ShowTicket" - the CC can look at each individual ticket in that queue. 
By making this right global, it is "inherited" by the CC listed as a CC 
watcher for a queue.
	"Watch" - the CC can add themselves as the CC on any ticket they might 
be interested in.
	3. Owner: For us, this is the person that works on the request ticket. 
Makes modifications to the ticket to show progress, change status, 
dates, etc. "THERE CAN BE ONLY ONE!". For you "highlander" fans, we feel 
that the only person who should have complete modification rights to a 
ticket is the owner (and maybe the Queue manager/AdminCc). Therefore, we 
grant this right globally to save us the queue level maintenance. When 
we create a new queue for a new software application, we DON'T have to 
grant this right.
	4. Requestor: For us, this is the person making the request/sending in 
a email ticket. We want certain rights to be inherited at the queue 
level for all requestors, regardless of queue.
	"ReplyToTicket" - the ability to correspond about their OWN ticket.
	"SeeQueue" - the ability to see their ticket in the queue it was sent to.
	"ShowTicket" - the ability to "see" their ticket, depending on what 
rights are granted to the requestor at the queue level. For example, one 
Queue Manager/AdminCc may grant the right to "ShowTicketComments" and 
another may not. So this global right will not grant them the right to 
see comments or outgoing email or to comment on a ticket, etc.
	"Watch" - As the requestor of "their" ticket, we want them to inherit 
the ability to add an interested party as a "cc" on "their" ticket.


Queue-Level Rights: On a queue by queue basis, we let the Queue 
Manager/AdminCc grant/modify/remove certain rights for System level 
users, Roles, and user-defined groups. An example of these rights follows:

System Groups:
	1. Everyone: none.
	2. Privileged: "CreateTicket". This right is not granted on the global 
level because there are some queues that do NOT WANT to get tickets from 
just anyone. So we let them decide. If they do, they grant that 
privilege here. If not, they grant it to certain user-defined groups.
	3. UnPrivileged: none.

Roles:
	1. AdminCc; Again, for us, the AdminCc is the "BOSS" of a queue. They 
create, assign, delete tickets. We grant these rights at the queue level 
because it might cause trouble at the global level (or already HAS):
	"CreateTicket" - the AdminCc of a queue should be able to create ticket 
for their own support team/group.
	"DeleteTicket" - same as above.
	"ModifyACL" -  Same as global right but at queue-level. This keeps 
AdminCc's of other queues from messing with the rights in other queues.
	"ModifyQueueWatchers" - again, for THIS queue, we want the AdminCc to 
decide who can use "their" queue.
	"ModifyTickets" - This allows the queue manager to override dates, etc. 
on a ticket in the queue they manage, not just the owner.
	"ShowACL" - let's the boss see what's up in "their" queue.
	"StealTicket" - the boss can also "re-assign" a ticket to a different 
team/group member.
	2. CC; usually none. We do have a few queues where the AdminCc wants 
the CC to see any correspondence they get so they grant "WatchAsAdminCc".
	3. Owner; Maybe "DeleteTicket". It depends on how the AdminCc wants to 
manage the tickets. Sometimes only the AdminCc can delete a ticket.
	4. Requestor; In addition to the global rights they inherit, the 
AdminCc may allow them to:
	"CommentOnTicket" - this let's the requestor add their own comments to 
a ticket without letting them "Modify" a ticket in other areas.
	"ShowOutgoingEmail" - this allows the requestor to see the 
correspondence on a ticket. Some queue managers may NOT want that.
	"ShowTicketComments" - this allows the requestor to see the comments 
made on a ticket. Some queue managers may NOT want that (nasty comments 
about the IQ of the requestor) so it isn't granted at all.

User-Defined Groups: For each queue (1 queue per application software), 
there is (usually) 1 or more user groups that can send/create tickets. 
There is only 1 group that is allowed to do the technical support. So, 
the rights granted a specific to queue/function.
	1. User (requeator) group: these are the users that the queue manager 
allows to create request tickets. Their rights are:
	"CommentOnTicket" - well, maybe. Depends on the boss.
	"CreateTicket" - well, duh. that's the whole point here.
	"ReplyToTIcket" - this may seem redundant to the same right for 
requestors. NOT. It allows OTHER members of the requestor users group to 
respond to ticket correspondence on ticket they did NOT send/create. If 
the ticket is part of a project that has bunchs of children and 
dependencies, I may want all members ot that request "group" to 
participate at this level.
	"SeeQueue" - allows all members of the group (not just the requestor) 
to see what's in the queue.
	"ShowOutgoingEmail" - this allows the group to see the correspondence 
on a ticket. Some queue managers may NOT want that.
	"ShowTicket" - this allows the group to see any ticket in the queue. 
Some queue managers may NOT want that.
	"ShowTicketComments" - this allows the group to see the comments made 
on a ticket. Some queue managers may NOT want that (nasty comments about 
the IQ of the requestor) so it isn't granted at all.
	"Watch" - same as global right but just for this queue/group.

	2.Support group (usually technical support): we have only one of these 
per queue. We don't want others fooling around and messing with tickets 
they are not supporting.
	"CommentOnTicket" - everyone in the group can add their comments to any 
ticket in the queue. Support on a project level may easily need this.
	"CreateTicket" love those children.
	"OwnTicket" - obvious.
	"ReplyToTicket", "SeeQueue", "ShowOutGoingEmail", "ShowTicket", 
"ShowTicketCOmments", "StealTicket" (maybe. if the boss allows), 
"TakeTicket", "Watch" - these are all pretty self explanatory and we 
want our support team to be able to have them.

	Anyway, after reading this you should be able to evaluate your needs 
(in terms of rights) a little better. Hope it helps.


Kenn
LBNL



On 2/7/2008 7:09 AM, Jean-Sebastien Morisset wrote:
> On Wed, Feb 06, 2008 at 11:19:48AM -0800, Kenneth Crocker wrote:
>> 	Whew! You have really given alot of people alot of rights.
> 
> Kenneth and Ruslan,
> 
> Thanks for your feedback! I did a lot of testing, and wasn't sure if you
> inherited rights or not, so many of the basic rights were duplicated.
> Thanks for explaining that bit. :-)
> 
> Ok, so a brief description of our processes is in order... It's very
> simple really... Anyone can open a ticket. Requestors should be able to
> view and reply to their own ticket. Anyone else should be able to view
> all tickets, add themselves as CC, but not modify tickets that aren't
> theirs. We have 3-4 queues, and most of the requests will be coming in
> by e-mail, sorted (by procmail), and a ticket opened in the appropriate
> queue. Specific groups, like "Telecom" for example, have priviledges to
> work on tickets in their own queue (also called "Telecom"). They should
> also be able to transfer tickets to other queues in case someone sent
> their e-mail to the wrong queue. The "Management" group should have the
> ability to modify any ticket in any queue.
> 
> So, in a nutshell, that's about it.
> 
> After your comments, I made the following adjustments:
> 
> Configuration -> Global -> Group Rights:
> 
> Everyone   
>     CreateTicket
>     SeeCustomField
>     
> Privileged	
>     CreateSavedSearch
>     CreateTicket
>     EditSavedSearches
>     LoadSavedSearch
>     ModifySelf
>     SeeCustomField
>     SeeGroup
>     SeeQueue
>     ShowSavedSearches
>     ShowTicket
>     Watch
> 
> User defined groups: Management
>     ModifyQueueWatchers
>     ModifyTicket
>     OwnTicket
>     ReplyToTicket
>     ShowACL
>     ShowOutgoingEmail
>     ShowScrips
>     ShowTemplate
>     ShowTicketComments
>     StealTicket
>     TakeTicket
>     WatchAsAdminCc
> 
> There's also an RT-Admin group to manage users and RT configs:
> 
> RT-Admin   
>     AdminAllPersonalGroups
>     AdminCustomField
>     AdminGroup
>     AdminGroupMembership
>     AdminOwnPersonalGroups
>     AdminQueue
>     AdminUsers
>     AssignCustomFields
>     ModifyACL
>     ModifyCustomField
>     ModifyOwnMembership
>     ModifyQueueWatchers
>     ModifyScrips
>     ModifyTemplate
>     ModifyTicket
>     ShowACL
>     ShowConfigTab
>     ShowOutgoingEmail
>     ShowSavedSearches
>     ShowScrips
>     ShowTemplate
>     ShowTicket
>     ShowTicketComments
> 
> For each Queue ("Telecom" in this example), I have additional rights for
> the associated group. I've specified some AdminCCs by default because
> we're transitioning from an e-mail based process. Eventually I'll remove
> the AdminCCs and create a Scrip/Template to e-mail the group members
> when a ticket is created in their queue. After that it'll be up to them
> to decide if they want to own the ticket or add themselves as Ccs or
> AdminCcs.
> 
> Configuration -> Queues -> Telecom -> Watchers:
> 
> Administrative Cc:
>     Telecom
>     Management 
> 
> Configuration -> Queues -> Telecom -> Group Rights:
> 
> User defined groups: Telecom
>     CommentOnTicket
>     ModifyTicket
>     OwnTicket
>     ReplyToTicket
>     ShowOutgoingEmail
>     ShowTicketComments
>     StealTicket
>     TakeTicket
>     WatchAsAdminCc
> 
> BTW, I appreciate your time with this. The faster I can tweak this
> config, the better chance it'll be adopted. Our current e-mail based
> process has to go... :-)
> 
> I should also mention that I've configured the ___Approval queue. For
> some reason it's showing up on the user's home page. I thought the
> ___Approval queue would be hidden... Should it be?
> 
> I'm still tweaking the approval process. There's some conflicts between
> the global scrips and the approval queue scrips. For example, the global
> scrip "On Create Notify AdminCcs with template Transaction" and the
> ___Approval queue scrip "On Create Notify AdminCcs with template New
> Pending Approval". It looks like I'll have to move that global scrip
> into each queue instead to avoid duplicate e-mails with the ___Approval
> queue.
> 
> Thanks!
> js.




More information about the rt-users mailing list