[rt-users] Ticket level permissions

Fri Jul 20 11:15:03 EDT 2012

On Fri, Jul 20, 2012 at 01:14:53PM +0530, Rajesh Kumar wrote:
>    Hi All,
> 
>    I'm new to RT and trying to make it work in following manner -
> 
>    1. There should be only one queue called 'Support'. This is because we have too many clients
>    and is a management call...
> 
>    2. Multiple clients using same queue to create tickets.
> 
>    3. No client should be able to access another client's tickets. Example - Client A should not
>    be able to access client B's tickets.
> 
>    And this is what I've done so far -
> 
>    1. Add a custom field 'Client' at user level.
> 
>    2. Create a group for each 'Client' and add all users belonging to the client to their
>    respective group.
> 
>    3. OnCreate scrip to add the group as 'Cc' to the ticket and grant 'ShowTicket' to the 'Cc'
>    role.
> 
>    This results in -
> 
>    1. User belonging to group A cannot see tickets raised by any user of group B on the 'Open
>    tickets' page. So the segregation works here.
> 
>    2. But if a user of group A searches for a ticket (by ticket number) he gets to see all the
>    ticket details hence defeating restriction we needed in place.

You've granted ShowTicket too widely, check your ACL configurations.
Especially for Everyone and Unprivileged groups.

-kevin

>    Please take a look at the OnCreate script on [1]pastebin and help me understand what is wrong
>    with this approach.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20120720/9efdf275/attachment.sig>