[rt-users] Rights issue on Configuration -> Global -> RT at a glance on RT 3.8.2

Carlos Garcia Montoro cgarcia at ific.uv.es
Mon Jun 8 07:01:22 EDT 2009 

I wanted to grant "ShowConfigTab" only for a few users who are "group 
directors" at my institution, but I don't want  that doing so, they can 
modify the /*GLOBAL*/ RT at a glance, as they can do, if they have this 
single right.

Jo, I'm sure that it is the global RT at a glance, because I'm following 
these steps: "Configuration -> Global -> RT at a glance" and because if 
any user who has the ShowConfigTab changes something there, you logout 
and log in as another user, the RT at a glance of the second user has 
changed.

Kenn, the problem is not htat they can change their own RT at a glance. 
The problem is that they can change the global RT at a glance...

Perhaps I'm missing something, but at the moment, I don't know what it is.

Thank you again,
Carlos

Ken Crocker wrote:
> Carlos,
> 
>     I'm with Jo on this one. We are on 3.6.4 and I have over 100 users 
> and the majority of them do /*NOT*/ have the "ShowConfigTab" right yet 
> they /*ALL*/ can modify their "RT at a Glance" settings.
> 
> 
> Kenn
> LBNL
> 
> On 6/5/2009 3:13 AM, Jo Rhett wrote:
>> Are you sure it's the global RT At a Glance?   It seems everyone can 
>> modify it for themselves...
>>
>> On Jun 5, 2009, at 12:55 AM, Carlos Garcia Montoro wrote:
>>> Hi Kenn, hi everybody,
>>>
>>> Thank you for your answer. I was expecting the same behaviour as you. 
>>> But for my unpleasant surprise, a user who only has
>>> - "ShowConfigTab" global right for himself.
>>> - "ShowAprovalsTab" global right for Privileged users. And
>>> - "CreateTicket" and "SeeQueue" in some queues as Everyone's rights 
>>> in those queues.
>>> can do nothing harmful with the single exception of modifying the 
>>> global RT at a glance.
>>>
>>> This behaviour has surprised me probably as much as you. Because of 
>>> it, I want that someone else checks this configuration in order to 
>>> see whether it is my fault (I am doing something wrong) or it is a RT 
>>> bug (this happens to everybody, but it shouldn't).
>>>
>>> Greetings,
>>> Carlos
>>>
>>> PS: I found somewhere a RT installation for testing purposes, but 
>>> users   grants, including root, where so restricted, that I couldn't 
>>> reproduce the configuration I wanted.
>>>
>>> Ken Crocker wrote:
>>>> Carlos,
>>>>    I may be mistaken, butI think the "ShowConfigTab" merely allows 
>>>> the user to see that tab and the functions under it. The user still 
>>>> needs to have other rights (like "ShowTemplate" and 
>>>> "ModifyTemplate") in order to see/modify templates and I'm sure the 
>>>> same situation exists for other objects to be modified.
>>>> Kenn
>>>> LBNL
>>>> On 6/4/2009 2:54 AM, Carlos Garcia Montoro wrote:
>>>>> Sorry for posting this twice, but I'm trying to make it shorter.
>>>>>
>>>>> Please, can anyone confirm me that a user who only has the global 
>>>>> right "ShowConfigTab" is able to modify the global RT at a glance?
>>>>>
>>>>> I'm using RT 3.8.2 and I would like to know if either I'm doing 
>>>>> something wrong or this is the expected behaviour. If this were the 
>>>>> second case, should this be considered a bug?
>>>>>
>>>>> For a longer explanation, attached you can find my previous message.
>>>>>
>>>>> Thanking you in advance,
>>>>> Carlos
>>>>>
>>>>> ------------------------------------------------------------------------ 
>>>>>
>>>>>
>>>>> Subject:
>>>>> [rt-users] Rights issue on Configuration -> Global -> RT at a 
>>>>> glance on RT 3.8.2
>>>>> From:
>>>>> Carlos Garcia Montoro <cgarcia at ific.uv.es>
>>>>> Date:
>>>>> Fri, 29 May 2009 12:18:06 +0200
>>>>> To:
>>>>> rt-users at lists.bestpractical.com
>>>>>
>>>>> To:
>>>>> rt-users at lists.bestpractical.com
>>>>>
>>>>>
>>>>> Hello,
>>>>>
>>>>> I've a question/request about RT that I have been neither able to 
>>>>> resolve from myself, nor have I found it at the RT wiki or googling 
>>>>> this mailing list.
>>>>>
>>>>> I'm newbie using RT. I'm installing an organizational RT (ver. 
>>>>> 3.8.2). We have some departments that are autonomous of each other. 
>>>>> Thus, I want to grant some privileges for every admin group of each 
>>>>> department. I want to allow them to handle their own queues, 
>>>>> groups, etc. But I also want not to allow them to modify others 
>>>>> space. I have achieved this configuration, i.e. admins are only 
>>>>> able to see their groups, admins can see all queues but they are 
>>>>> only allowed to modify some properties (Cc, AdminCc,...)  of their 
>>>>> own queues but not other queues. In order to do that I have granted 
>>>>> them the global right "ShowConfigTab". Otherwise they had rights 
>>>>> but they couldn't use them (they couldn't modify group membership 
>>>>> of their groups,...).
>>>>>
>>>>> The problem I'm suffering is this: When I grant the "ShowConfigTab" 
>>>>> right to a user or group, I'm also granting privileges to modify 
>>>>> the global RT at a glance. Let me show an example: Let me create a 
>>>>> user foo who can be granted rights ("Let this user be granted 
>>>>> rights" is checked). This new user isn't a member of any group, so 
>>>>> he has no right rather than "Everyone" and "Privileged". At this 
>>>>> moment, global rights for these groups are the default (no global 
>>>>> right for "Everyone", and only "ShowApprovalsTab" for 
>>>>> "Privileged"). In some queues "Everyone" has two rights 
>>>>> "CreateTicket" and "SeeQueue", but as far as I know they only grant 
>>>>> privileges for creating a new ticket in these queues. Let this user 
>>>>> be granted the global "ShowConfigTab" right ( "Configuration" -> 
>>>>> "Global" -> "User Rights", and there foo is granted to 
>>>>> "ShowConfigTab"). Now let foo log in. This user can see the 
>>>>> configuration tab, but he can't modify anything since he is not 
>>>>> allowed to. If he tries to modify anything RT won't allow it and 
>>>>> foo will read a permission denied message. But if foo goes to 
>>>>> "Configuration" -> "Global" -> "RT at a glance" and there he 
>>>>> deletes "QuickCreate", RT allows it saying "Global portlet body 
>>>>> saved.". Now let the privileged user bar log in. The RT at a glance 
>>>>> of bar has no longer the "QuickCreate" frame when it previously had 
>>>>> it. Hence, I don't want to grant foo the right of modifying the 
>>>>> global RT at a glance!
>>>>>
>>>>> Is it the expected behaviour? Am I missing anything or doing 
>>>>> something wrong?
>>>>>
>>>>> Thank you,
>>>>> Carlos
>>>>>
>>>>> _______________________________________________
>>>>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>>>>
>>>>> Community help: http://wiki.bestpractical.com
>>>>> Commercial support: sales at bestpractical.com
>>>>>
>>>>>
>>>>> Discover RT's hidden secrets with RT Essentials from O'Reilly 
>>>>> Media. Buy a copy at http://rtbook.bestpractical.com
>>>>>  _______________________________________________
>>>>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>>>>
>>>>> Community help: http://wiki.bestpractical.com
>>>>> Commercial support: sales at bestpractical.com
>>>>>
>>>>>
>>>>> Discover RT's hidden secrets with RT Essentials from O'Reilly 
>>>>> Media. Buy a copy at http://rtbook.bestpractical.com
>>>>>
>>>
>>> -- 
>>> _______ _______________________________________________________________
>>> | __ __ | Carlos García Montoro                    Ingeniero Informático
>>> |_\_Y_/_| Instituto de Física Corpuscular         Centro Mixto CSIC - UV
>>> |\_] [_/| Servicios Informáticos
>>> |  [_]  | Edificio Institutos de Investigación        cgarcia at ific.uv.es
>>> |C S I C| Apartado de Correos 22085 E-46071 Valencia  Tel: +34 963543706
>>> |_______| España / Spain                              Fax: +34 963543488
>>> <cgarcia.vcf>_______________________________________________
>>> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>>>
>>> Community help: http://wiki.bestpractical.com
>>> Commercial support: sales at bestpractical.com
>>>
>>>
>>> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
>>> Buy a copy at http://rtbook.bestpractical.com
>>

-- 
  _______ _______________________________________________________________
| __ __ | Carlos García Montoro                    Ingeniero Informático
|_\_Y_/_| Instituto de Física Corpuscular         Centro Mixto CSIC - UV
|\_] [_/| Servicios Informáticos
|  [_]  | Edificio Institutos de Investigación        cgarcia at ific.uv.es
|C S I C| Apartado de Correos 22085 E-46071 Valencia  Tel: +34 963543706
|_______| España / Spain                              Fax: +34 963543488
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cgarcia.vcf
Type: text/x-vcard
Size: 441 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090608/b018ff84/attachment.vcf>

More information about the rt-users mailing list