[rt-users] Forward to queue question

Kenneth Crocker kfcrocker at lbl.gov
Fri Apr 23 13:00:19 EDT 2010


We don't like to give out permissions very generously and since we have so
many Queues, we let the Managers of a Queue decide what access they want
others to have. Consequently, we give a few basic rights out Globally, but
save the heavy stuff on a Queue by Queue basis. This is what we grant *

*System/Everyone*: nada
*System/Unprivileged*: nada
*System/Privileged*: AdminOwnPersonalGroups, CreateOwnDashboard,
CreateSavedSearch, DeleteOwnDashboard, EditSavedSearch, ForwardMessage,
LoadSavedSearch, ModifyOwnDashboard, ModifySelf, SeeDashboard,
SeeOwnDashboard, ShowSavedSearches, SubscribeDashboard - we feel these
rights to be basic to all of our privileged users. They should be able to
see any system dashboards, certainly their own and also any Searches. Since
the ability to save a Search for a group is based on that groups membership,
that part basically takes care of itself.

*Roles/Owner*: ModifyTicket - we don't let anyone but an owner modify Ticket
metadata. CF's and Comments  and email are a Queue by Queue thing.
*Roles/AdminCc*: AdminGroupMembersdhip, AdminUsers, AssignCustomField,
ModifyOwnMembership, SeeCustomField, SeeGroup, ShowConfigTab, ShowScrips,
ShowTemplate,  WatchAsAdminCc - We use the *AdminCc role* as the *Queue
Manager*, therefor we give them certain rights we don't give to others.
*Roles/Cc*: ReplyToTicket, SeeQueue, ShowTicket, Watch - If you are
designated as a Queue watcher, then you should at least have these rights,
since they all interest you. We let the Queue manager grant other rights at
the Queue level.
*Roles/Requestor*: ReplyToTicket, SeeQueue, ShowTicket, Watch - If you made
the request, you should at least have these rights. We let the Queue manager
grant other rights at the Queue level.

Basic Rights granted at the *Queue level:*

*System/Everyone:* nada
*System/unprivi8leged:* nada
*System/Privileged:* CreateTickets - for some Queues. These are usually
Queues that support all the other Queues and therefore could get tickets
from almost any group. For Queues with specific users, this right is granted
only to those groups.
Roles/Owner: nada - *Already has the ModifyTicket right because of Global
rights. Since the owner is already a member of some support group, all the
other rights they get from being a member of that group.*
Roles/AdminCc:* DeleteTicket, ModifyACL, ModifyQueueWatchers, ModifyTicket,
ShowACL, StealTicket. Since this person *IS* the boss for this Queue, this
person has control over who gets what tickets, who can see the Queue and
certain rights, etc.
*Roles/Cc: *CommentOnTicket, ShowOutgoingEmail, ShowTicketComments - in
case, the Queue Manager is allowing Cc Watchers to see and make comments and
see any email.*
Roles/Requestor:* nada - this person has all the rights their gonna get
Globally. For us, we see Requestors as Customers so we don't want them to
have much control. Seeing their ticket and correspondence is about it.
User-Defined Groups:* usually there are at least two groups for each Queue,
sometimes  a couple more if they have some interest;
*The User group*, which basically makes a request for work. So they get to
see the Queue and create tickets, etc. Maybe (like  for QA work) modify a
Custom Field.
*The SupportGroup*; These are the support team that have these rights;
CommentOnTIcket, CreateTicket, OwnTicket, ReplyToTicket, SeeQueue,
ShowOutgoingEmail, ShowTicket, ShowTicketComments, TakeTicket, and Watch.
Sometimes a Queue manager will let the StealTickets as well.

Also, we set up our RT_SiteConfig.pm file to turn off StrictACL, which gives
Ticket Owners and AdminCcs (the only ones who can ModifyTicket) the right to
set up links to tickets in other Queues.

Anyway, that the way we do it. I'm sure your situation is different. Hope
this helps.



On Fri, Apr 23, 2010 at 9:14 AM, Chris Hall <hiro24 at gmail.com> wrote:

> thanks for the speedy reply.
> That's actually how I have it set now, and it works, but like I said, at
> the top it gives a faulty "permission denied".
> This is set on the Corp. Support queue for permissions for the "Helpdesk"
> queue, and the error above occurs when someone in the helpdesk group moves a
> ticket to the Corp. Support queue.  Is there something somewhere else I need
> to set?  when root moves a ticket, no permission denied errors are
> displayed.
> On Fri, Apr 23, 2010 at 12:10 PM, Jerrad Pierce <
> jpierce at cambridgeenergyalliance.org> wrote:
>> On Fri, Apr 23, 2010 at 12:06, Chris Hall <hiro24 at gmail.com> wrote:
>> > Hello all,
>> >
>> > I'm very new to RT, and after shifting around permissions on groups and
>> > queues for a few hours, I'm ready to ask for some help.. btw,
>> documentation
>> > seems very widespread and unfocused, unless I'm looking in the wrong
>> places.
>> Read the book. It's the best place to get a grasp of the fundamentals.
>> The wiki, POD and list archives tend to be for more esoteric issues
>> and customization.
>> > Basically, let's say I have 2 groups w/ a queue each... Helpdesk with a
>> > "Helpdesk queue" and Corp. Support with a "Corp. Support" queue.  I
>> don't
>> > want them to see each other's queues.  However, I would like them to be
>> able
>> > to forward tickets on to the other's queues. What permissions would I
>> need
>> > to set up to make this happen?  I've got it most of the way, to where it
>> > actually works, but when I forward a ticket, at the top in the yellow
>> status
>> > bar it says permission was denied.. though the ticket still seems to
>> > transfer.
>> SeeQueue but not ShowTicket.
>> Although forward is not really the correct term here, one moves ticets
>> between queues.
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20100423/c7ba3157/attachment.htm>

More information about the rt-users mailing list