[rt-users] General permissions question

Kenneth Crocker kfcrocker at lbl.gov
Mon Oct 25 13:08:43 EDT 2010 

Josh,

You can do what you want.
By watching this list, I've noticed there are hundreds of installations that
do things differently. Some let the Requestors modify their own tickets,
etc.
What I put down was just a suggestion for you and it will most likely not
apply for others.

Kenn
LBNL

On Mon, Oct 25, 2010 at 5:44 AM, Josh Narins <jnarins at seniorbridge.com>wrote:

>  Ken, thanks for your time.
>
>
>
> While the below looks really good both in the sense that it appears to be
> consistent and in the sense you've laid it all out for me, could I get
> someone else's opinion on it?
>
>
>
> Ruslan or Jesse perhaps?
>
>
>
> If it all looks good, then maybe (it could get posted|I could post it) to
> the wiki as an example?
>
>
>
> Thanks,
>
> Josh
>
>
>
>
> *Josh Narins*
>
> Director of Application Development
> SeniorBridge
> 845 Third Ave
> 7th Floor
> New York, NY 10022
> Tel: (212) 994-6194
> Fax: (212) 994-4260
> Mobile: (917) 488-6248
> jnarins at seniorbridge.com
> seniorbridge.com <http://www.seniorbridge.com/>
>
> [image: SeniorBridge]
>
> *From:* rt-users-bounces at lists.bestpractical.com [mailto:
> rt-users-bounces at lists.bestpractical.com] *On Behalf Of *Kenneth Crocker
> *Sent:* Friday, October 22, 2010 12:50 PM
> *To:* rt-users at lists.bestpractical.com
> *Subject:* Re: [rt-users] General permissions question
>
>
>
> Josh,
>
> We never grant rights to individual users, too much maintenance. I agree
> with Jesse (DUH!) to create a SuperUSer Group like "System Admins", then
> another called "Technical Support". I'd set rights as follows:
>
> Global System Rights:
>
>    - Privileged:
>
>
>     - CreateOwnDashboard
>       - CreateSavedSearch
>       - DeleteOwnDashboard
>       - EditSavedSearch
>       - ForwardMessage
>       - LoadSavedSearch
>       - ModifyOwnDashboard
>       - ModifySelf
>       - SeeOwnDashboard
>       - * SeeQueue (*you might want this only at a "Queue" level*)
>       - ShowSavedSearch
>       - * ShowTicket (*you might want this only for "Roles" and the
>       "support" group*)
>       - SubscribeDashboard
>       - Watch
>
> This set will allow all users rights to their own Searches, Searches saved
> for groups they are in & Dashboards set up subscriptions for any Dashboard
> they have access to & modify themselves & add watchers to tickets they are
> watchers on (basically, add Cc's)
>
>    - Everyone:
>
>
>     - ReplyToTicket
>       - CreateTicket
>
> This allows anyone to create a ticket and reply to email if sent to them
> from RT. If you have some form of externalAuth going on, that will keep the
> spam out.
>
>    - Roles:
>
>
>     - Owner;
>
>
>     - ModifyTicket (a no brainer)
>          - * SeeQueue & ShowTicket Comments, etc if not by group
>
>
>     - AdminCc (*we use AdminCc like a "Queue Manager*);
>
>
>     - AdminUsers (*Sys Admin only?*)
>          - AdminCustomFields (*Sys Admin only?*)
>          - AssignCustomFields (*we don't want just anyone messing with
>          these*)
>          - ModifyACL (*you may want to keep this at the "Queue" level or
>          not at all and just let "SuperUsers" do it*)
>          - ModifyOwnMembership
>          - ModifyQueueWatchers (*you may want to keep this at the "Queue"
>          level or not at all and just let "SuperUsers" do it*)
>          - ModifyScrips (*you may want to keep this at the "Queue" level
>          or not at all and just let "SuperUsers" do it*)
>          - ModifyTemplate (*you may want to keep this at the "Queue" level
>          or not at all and just let "SuperUsers" do it*)
>          - ShowACL (*you may want to keep this at the "Queue" level or not
>          at all and just for "SuperUsers"*)
>          - SeeCustomFields (*ditto*)
>          - SeeGroup
>          - * SeeQueue & ShowTicket Comments, etc if not by group (*
>          SuperUser*)
>          - ShowConfigTab (*Sys Admin only?*)
>          - ShowScrips (*Sys Admin only?*)
>          - ShowTemplate (*Sys Admin only?*)
>          - StealTicket (*you may want to keep this at the "Queue" level or
>          let Support group do it*)
>          - WatchAsAdminCc
>          - *You might want to put some of these rights at the Queue level*
>
>
>     - Cc;
>
>
>     - SeeQueue (*if not given to "Privileged"*)
>          - ShowTicket (*if not given to "Privileged"*)
>
>
>     - Requestor
>
>
>     - SeeQueue (*if not given to "Privileged" or Support Group*)
>          - ShowTicket (*if not given to "Privileged" or Support Group*)
>
>                     Since your "Users" that create tickets will only use
> email, these two rights above would allow them to see ONLY their tickets if
> they were to ever sign into the WebUI.
>
>    - User-Defined Groups:
>
>
>     - SystemAdmin;
>
>
>     - SuperUser
>
>
>     - Technical-Support (you may want to keep some of these rights for
>       this group at the "Queue" level)
>
>
>     - CommentOnTicket
>          - DeleteTicket
>          - ModifyCustomField (may want this at the "Queue" level)
>          - ModifyTicket (*ONLY** if you want members of the group to be
>          able to modify someone else's ticket* - Owners already have this
>          right)
>          - OwnTicket
>          - SeeCustomField
>          - ShowOutgoingEmail
>          - ShowTicket
>          - ShowTicketComments
>          - StealTicket (*you may want to keep this at the "Queue" level*)
>          - TakeTicket
>
>
> Well, anyway, I'm sure you can get the gist of this. Hope this helps.
>
> Kenn
> LBNL
>
> On Fri, Oct 22, 2010 at 6:34 AM, Josh Narins <jnarins at seniorbridge.com>
> wrote:
>
> I have three classes of users, I'm wondering if my privileges/groups setup
> is what RT intends.
>
>
>
> Class 1: Administrators. These three people can do anything.
>
> Class 2: People who log into RT and own and resolve tickets. Each is only
> going to be working with 1-3 queues out of 10-15 queues total.
>
> Class 3: People who create tickets via email and don't need to do anything
> but reply via email.
>
>
>
> Right now I'm thinking class 1 and class 2 should be "privileged" users,
> and by AdminCCs on the particular queues they are interested in. In
> addition, the three superusers will have, as a User Right, the "Super User"
> privilege.
>
>
>
> Class 3 won't be users which are seen via Configuration->Users. I still
> haven't figured out if they count as "Everybody" or "Unprivileged." I'd like
> them to be able to view any ticket (although I suspect they will rarely use
> such a power) so I'm giving them ShowTicket and ShowComment and a few other
> minor privileges.
>
>
>
> Does that sound about right?
>
>
>
> *Josh Narins*
>
> Director of Application Development
> SeniorBridge
> 845 Third Ave
> 7th Floor
> New York, NY 10022
> Tel: (212) 994-6194
> Fax: (212) 994-4260
> Mobile: (917) 488-6248
> jnarins at seniorbridge.com
> seniorbridge.com <http://www.seniorbridge.com/>
>
> *Error! Filename not specified.*
>  ------------------------------
>
> *SeniorBridge Statement of Confidentiality:* The contents of this email
> message are intended for the exclusive use of the addressee(s) and may
> contain confidential or privileged information. Any dissemination,
> distribution or copying of this email by an unintended or mistaken recipient
> is strictly prohibited. In said event, kindly reply to the sender and
> destroy all entries of this message and any attachments from your system.
> Thank you.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20101025/2367877b/attachment.htm>

More information about the rt-users mailing list