Re: [rt-users] Handful of users showing up in owner dropdown but have no access
On Wed, Oct 15, 2014 at 11:56:38AM -0400, Mike Johnson wrote: > I did that query and it returned 26 rows. > All of the returned rows say the PrinicpalType is Group, which I would assume > means the 'OwnTicket' right is not granted to a specific user anywhere in RT. Nope, every user in RT has a group for ACLs, it's in fact called an ACL Equivalence Group. You should look at the Object* columns and also chase out to the actual Principals for those PrincipalIds (you may need to get a group and then get it's member and then get the user for ACL Equivalence Groups). > With this information I did some more investigating to understand the symptom > better. It looks like these users only show up in the owner dropdown of Queues > that existed prior to our upgrade from 3.2.1 -> 3.8.10. Most of those changes were related to Custom Fields, not Ownership, however it's possible you have some old configurations on a disabled queue from your 3.2 days that has been forgotten. -kevin pgpcsJQq0cMxv.pgp Description: PGP signature -- RT Training November 4 & 5 Los Angeles http://bestpractical.com/training
Re: [rt-users] Handful of users showing up in owner dropdown but have no access
I did that query and it returned 26 rows. All of the returned rows say the PrinicpalType is Group, which I would assume means the 'OwnTicket' right is not granted to a specific user anywhere in RT. I didn't want to make that assumption, just in case it was incorrect, so I took a look at the data schema for 3.8.10, which I believe is here: http://bestpractical.com/rt/3.4-schema.png (note** My SQL skills are extremely rusty... been working in a Unidata database for 13-14 yrs) It looks like ACL.PrincipalId is a foreign key to Principals, and id is the primary key for Principals and Users? With that scenario, I ran a query linking them all together and attempting to return user info for any of the 26 rows from the original query. No user info is returned for any of them (query used below) mysql> select p.id,p.PrincipalType,u.Name,u.EmailAddress,u.RealName -> from Principals p -> left join ACL a on a.PrincipalId = p.id -> left join Users u on u.id = p.id -> where a.RightName='OwnTicket'; Just for a wild attempt at getting what I was expecting based on Kevin's response (I wanted to see 5 users that had the 'OwnTicket' right) I tried switching to ACL.id as a foreign key. It returned only 9 rows, only 2 of which were users, but neither were the users that are showing up in the Owner dropdown that shouldn't be. I believe this was just chance, garbage data, as I believe the first query showed the real results, but I was fishing... With this information I did some more investigating to understand the symptom better. It looks like these users only show up in the owner dropdown of Queues that existed prior to our upgrade from 3.2.1 -> 3.8.10. Could there have been something missed in this upgrade? Thanks! Mike. On Tue, Oct 14, 2014 at 12:56 PM, Kevin Falcone wrote: > On Fri, Oct 10, 2014 at 01:47:59PM -0400, Mike Johnson wrote: > > I look at the list of owners for a queue, and there are 5 users that > show up in > > that list(that shouldn't be there), but when I go to their account, they > aren't > > part of any groups, and they don't have any rights assigned to them > > specifically that I can see(at the user level, or at any queue level). > > Generally this means some queue granted OwnTicket to Unprivileged, > check all your queues, even your disabled ones. Alternately, select * > from ACL where RightName = 'OwnTicket' and work the other way. > > RT 4.2 explicitly excludes Unprivileged users from the OwnTicket > dropdown because of this someone common mistake. > > -kevin > > -- > RT Training November 4 & 5 Los Angeles > http://bestpractical.com/training > > -- Mike Johnson Datatel Programmer/Analyst Northern Ontario School of Medicine 955 Oliver Road Thunder Bay, ON P7B 5E1 Phone: (807) 766-7331 Email: mike.john...@nosm.ca -- RT Training November 4 & 5 Los Angeles http://bestpractical.com/training
Re: [rt-users] Handful of users showing up in owner dropdown but have no access
On Fri, Oct 10, 2014 at 01:47:59PM -0400, Mike Johnson wrote: > I look at the list of owners for a queue, and there are 5 users that show up > in > that list(that shouldn't be there), but when I go to their account, they > aren't > part of any groups, and they don't have any rights assigned to them > specifically that I can see(at the user level, or at any queue level). Generally this means some queue granted OwnTicket to Unprivileged, check all your queues, even your disabled ones. Alternately, select * from ACL where RightName = 'OwnTicket' and work the other way. RT 4.2 explicitly excludes Unprivileged users from the OwnTicket dropdown because of this someone common mistake. -kevin pgpEZh9GFmtk0.pgp Description: PGP signature -- RT Training November 4 & 5 Los Angeles http://bestpractical.com/training
[rt-users] Handful of users showing up in owner dropdown but have no access
I'm misunderstanding something with this I'm sure... I look at the list of owners for a queue, and there are 5 users that show up in that list(that shouldn't be there), but when I go to their account, they aren't part of any groups, and they don't have any rights assigned to them specifically that I can see(at the user level, or at any queue level). It seems that I can deselect "Let this user access RT" ("Let this user be granted rights (Privileged)" on them all are deselected already) and they drop from the list, but these users need to submit tickets still. They simply have moved in the organization to requestors only, not having access to RT for anything else. What am I missing? RT 3.8.10. Thanks in advance! Mike. -- Mike Johnson Datatel Programmer/Analyst Northern Ontario School of Medicine 955 Oliver Road Thunder Bay, ON P7B 5E1 Phone: (807) 766-7331 Email: mike.john...@nosm.ca -- RT Training November 4 & 5 Los Angeles http://bestpractical.com/training