[rt-users] questions about crontool user setup

Matt Zagrabelny mzagrabe at d.umn.edu
Thu Nov 17 12:31:16 EST 2016


On Thu, Nov 17, 2016 at 10:45 AM, Alex Hall <ahall at autodist.com> wrote:
> Hi list,
> I'm looking into email alerts for untouched tickets, and I thought of the
> crontool right away. In reading its Wiki page, I'm a little confused about
> setting up the user to run it. RT 4.4.1, Debian 8. Link I've been reading:
> https://rt-wiki.bestpractical.com/wiki/UseRtCrontool
>
> The page says to make an RT user *and* a Unix user.

Correct.

 If the tool runs on the
> server, though, where does the RT user come into it?

The RT is pertinent because while the shell account can execute
programs on the system, the RT database only knows of users that exist
in the database.

Thus, the crontool user (shell account) will change the status, or
comment, or correspond, or make any other txn, the RT system needs an
"actor" for that txn. So, you need to link the system (shell) account
and the RT (database) account.


 If I do need both a
> Unix and RT user, what do I enter into RT as the user's Unix login value?

We have an RT user named: rtcrontool. We also have a system (shell)
account with the same name.

In the modify page for the user, there is a "Unix login" field. Enter
your system (shell) account name there. It happens to be the same in
our situation, but it need not be.

> Can I just make my RT user part of the admin group, or should I *only* grant
> it the two rights the Wiki page mentions (view/modify tickets in all
> queues)?

We do not give the rtcrontool user admin rights.

Our rtcrontool user has the following rights:

comment on tickets
reply to tickets
view custom field values
view queue
view ticket summaries
modify custom field values
modify tickets
view scrip templates

It has been many years since we installed RT and our rtcrontool user
does many different things. That said, I'm not sure if all the above
rights are needed/correct for our environment.

 That is, do I need to grant specific user rights, because of
> security concerns surrounding making this user a full admin, or can I just
> make it an admin?

I would only grant what you need.

Thanks for any explanations.

-m



More information about the rt-users mailing list