Hi,
We have been using RT for a few years. In our current RT setup (version 4.2.2),
for every one of our customers we create a ticket queue and a user group. Then,
in that user group, we grant rights for that specific queue to enable our
customer users to: 'CreateTicket', 'ReplyToTicket', 'SeeQueue' and
'ShowTicket'. Customer users belonging to these groups remain as unprivileged
users. We have separate user groups for our own staff (staff users are
privileged).
Our aim is mainly to prevent a group of customers having visibility of other
customer groups tickets and, also, for easier management of scrips, etc .
Additionally - and this is important -, we rely on the REST API to provide
customers with ticket lists, searches and integration with some of our services
through our web portal. As an effect of that, customers never get to interact
with the RT gui.
Now, what we would need to implement is a more fine visibility configuration:
More concretely, SOME of our customer users ('restricted' users) should ONLY be
able to see those tickets in which they have the roles 'cc' or 'requestor'.
And at the same time, when they perform a search through the REST API, only the
tickets for which they are requestor or cc should be returned (this one is
important).
To do so, my approach was:
While now we create one single group for every queue, create two groups
instead: one with restricted rights and another with the rights we have been
usually granting the users with.
The 'restricted' user group would have no 'ShowTicket' right; as a result,
their searches would return empty. But, that combined with having the right
'ShowTicket' granted to the requestor and cc roles, I guessed that would enable
users to see the tickets for which they are requestor/cc, and get ONLY these
tickets returned on their searches through REST API.
The problem is that, although I have tried quite a few tweaks around this on
devel env (configuring customer users as privileged, for instance), I cannot
get this behavior to work.
The result is that, if I grant 'ShowTicket' right to the 'restricted' user
group, they see ALL the tickets in the queue; if I don't, they see none (same
goes for ticket search results). For some reason, its like its ignoring the
rights I had expected to be granted to the user via the roles 'requestor' and
'cc' (as I already mentioned, these roles DO have 'ShowTicket' right).
Indeed, I really feel to be missing something here.
In the mean time, I have also started to explore the possibility of having to
add a custom right for this behavior. So following the info I found at the RT
wiki, I have already defined a 'SeeOwnTickets' right in the Queue_Local.pm file.
But in the scenario of having to solve this via this solution, I would really
appreciate some guidance on in which parts of RT code should I add the auth for
this (considering our users only interact via the REST API).
I have already spent some time working on this; any help/guidance would be
certainly appreciated.
Thanks in advance,
Oriol Soriano.
PS: Yes, I have read http://requesttracker.wikia.com/wiki/Rights and other
areas of the wiki about this topic
PS2: I have also searched for this on the user list. Although I did find some
answers and tried a few suggestions, I was not able to fully get my desired
config to work.
--
RT Training - Boston, September 9-10
http://bestpractical.com/training
