[rt-users] Refine users ticket visibility: view only OWN tickets

Oriol Soriano oriol.soriano at capside.com
Tue Aug 19 10:46:41 EDT 2014


Hi,

We have been using RT for a few years. In our current RT setup (version 4.2.2), for every one of our customers we create a ticket queue and a user group. Then, in that user group, we grant rights for that specific queue to enable our customer users to: 'CreateTicket', 'ReplyToTicket', 'SeeQueue' and 'ShowTicket'. Customer users belonging to these groups remain as unprivileged users. We have separate user groups for our own staff (staff users are privileged).
Our aim is mainly to prevent a group of customers having visibility of other customer groups tickets and, also, for easier management of scrips, etc .
Additionally - and this is important -, we rely on the REST API to provide customers with ticket lists, searches and integration with some of our services through our web portal. As an effect of that, customers never get to interact with the RT gui.

Now, what we would need to implement is a more fine visibility configuration: More concretely, SOME of our customer users ('restricted' users) should ONLY be able to see those tickets in which they have the roles 'cc' or 'requestor'.
And at the same time, when they perform a search through the REST API, only the tickets for which they are requestor or cc should be returned (this one is important).

To do so, my approach was:
While now we create one single group for every queue, create two groups instead: one with restricted rights and another with the rights we have been usually granting the users with.
The 'restricted' user group would have no 'ShowTicket' right; as a result, their searches would return empty. But, that combined with having the right 'ShowTicket' granted to the requestor and cc roles, I guessed that would enable users to see the tickets for which they are requestor/cc, and get ONLY these tickets returned on their searches through REST API.

The problem is that, although I have tried quite a few tweaks around this on devel env (configuring customer users as privileged, for instance), I cannot get this behavior to work.
The result is that, if I grant 'ShowTicket' right to the 'restricted' user group, they see ALL the tickets in the queue; if I don't, they see none (same goes for ticket search results). For some reason, its like its ignoring the rights I had expected to be granted to the user via the roles 'requestor' and 'cc' (as I already mentioned, these roles DO have 'ShowTicket' right).
Indeed, I really feel to be missing something here.

In the mean time, I have also started to explore the possibility of having to add a custom right for this behavior. So following the info I found at the RT wiki, I have already defined a 'SeeOwnTickets' right in the Queue_Local.pm file.
But in the scenario of having to solve this via this solution, I would really appreciate some guidance on in which parts of RT code should I add the auth for this (considering our users only interact via the REST API).

I have already spent some time working on this; any help/guidance would be certainly appreciated.

Thanks in advance,
Oriol Soriano.
PS: Yes, I have read http://requesttracker.wikia.com/wiki/Rights  and other areas of the wiki about this topic
PS2: I have also searched for this on the user list. Although I did find some answers and tried a few suggestions, I was not able to fully get my desired config to work.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20140819/ee082ab3/attachment.htm>


More information about the rt-users mailing list