[rt-users] Precedence for group rights for custom fields vs. queue

Fri Nov 14 17:45:28 EST 2008

Hi List,

I've run up against something in RT that does not work intuitively for me. I
apologize up front for the length of this e-mail, but I wanted to provide
all pertinent background so others can understand the problem I face.

Background:

I've created a workflow in RT that utilizes a couple of different queues.  Our
Customer Service department enters a ticket in one queue ("Sales Order") and
when ready to send the item on for approvals, transfers the ticket to an
approval queue ("Sales Order Approval") which then triggers scrips to e-mail
a string of approvers in a particular order.  The way this works is each
group of approvers have certain custom fields that they edit and when an
authorized approver user fills in all their required fields, a scrip
executes which then e-mails the next approver in line with a ticket link so
they can fill in their custom fields.  At the end of a long string of
reviewers filling in their fields, the scrip e-mails notification to the
ticket owner that the approval is completed and transfers the ticket back to
the "Sales Order" queue, modifying the ticket subject to indicate it's
completed.

Group rights have been set up on the "Sales Order" queue so tickets can only
be created and modified by Customer Service.  For the approval queue, all
groups of approvers have the right to modify tickets.  The individual custom
fields that hold the approval information are controlled, however, by group
rights tied to the approving individuals for each step in the approval
process, thereby disallowing approvers from different teams the ability to
overwrite each other's custom fields for approval.

This system, while it sounds complicated, actually works simply and
automatically and has effectively replaced a manual sign off process that
previously existed.

The Problem:

At one point a requirement was submitted to allow approvers the ability to
see previously signed off tickets. This was implemented using group rights
on the "Sales Order" queue that provided ticket viewing rights, but no
"write" rights for approvers.  The thought was that as long as the ticket
sat in a queue where the user can see the tickets but cannot modify them,
then there should be no chance for a reviewer to modify their previous
approval.  What I have found though is that it appears the group right which
allows access to modify a custom field seems to override the group right on
the queue that disallows modification to the ticket.   This means an
approver who was simply allowed to view tickets in the queue can still
change their custom field data after it's gone through the complete review
cycle, something we do not want.

Are custom field group rights supposed to override queue group rights?

If this is the current design, is this a bug or oversight or is it
intentional?

If anyone else has encountered this, are there any hacks to fix it?

Many thanks in advance.

Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20081114/a5bd4ab1/attachment.htm>