Re: [rt-users] Group Rights

[Jeffrey Pilant]

Ron Yacketta writes:
>Are group rights Additive? We have a Group that contains other groups with
>certain granted rights, we would like to give one of the included groups
>the ability to mange users.
>
>Will RT grant all the rights allowed in the Containing group as well as
>those assigned directly to the group?

>From my brief inspection of code a while back, this is how I say it organized:
1) Every created user gets linked to a group newly created just for them.
2) Groups can only hold other groups.
3) This means that there does not need to be special code to determine if a 
group member is a group or a user.
4) Rights are additive.
5) Calculate as follows:
   A) Find the linked group of a member.
   B) Set rights to the rights of that group.
   C) For each group that this group is a member, do the following:
  i) Add the rights of this enclosing group
  ii) Recourse for all groups enclosing the enclosing group
6) Resulting rights is what that user has.
7) Perform similar calculations for user/queue or other combination

>From other tidbits left by the RT folks, making code to mask off rights is not 
>something they want to do, as it makes things much more complicated.

/jeff

The information contained in this e-mail is for the exclusive use of the 
intended recipient(s) and may be confidential, proprietary, and/or 
legally privileged.  Inadvertent disclosure of this message does not 
constitute a waiver of any privilege.  If you receive this message in 
error, please do not directly or indirectly use, print, copy, forward,
or disclose any part of this message.  Please also delete this e-mail 
and all copies and notify the sender.  Thank you. 

-
RT 4.4 and RTIR training sessions, and a new workshop day! 
https://bestpractical.com/training
* Los Angeles - Q1 2017

Re: [rt-users] Group Rights

[Reza]

Greetings Ron:

I'm relatively new with RT but have progressed a lot and have already 
incorporated it into a live production environment.


To my experience, the scenario of "Group Additives", as you put it, or 
assigning a "group" within a "group", is not necessarily the best 
business practice.


I like to keep things well organized and have separate groups for 
different unique permissions.


In theory your concept may work, but not advisable in my opinion, coming 
from a security perspective, in the name of keep things organized and 
secure.


Cheers!
Reza.


Ron Yacketta wrote on 10/27/2016 4:38 PM:

All,

Are group rights Additive? We have a Group that contains other groups 
with certain granted rights, we would like to give one of the included 
groups the ability to mange users.


Will RT grant all the rights allowed in the Containing group as well 
as those assigned directly to the group?




Regards,

Ron Yacketta


-
RT 4.4 and RTIR training sessions, and a new workshop day! 
https://bestpractical.com/training
* Los Angeles - Q1 2017


-
RT 4.4 and RTIR training sessions, and a new workshop day! 
https://bestpractical.com/training
* Los Angeles - Q1 2017

Re: [rt-users] Group rights

[Todd Wade]

On 10/20/15 6:45 AM, Kobus Bensch wrote:

I have now tried every setting possible. How do I give a group
permissions to see all the tickets in a particular queue, even if the
ticket owner has been changed to a person not in that group?


Theres no way to say "If a user is an owner of a ticket in the given 
queue, let them see all other tickets in the queue" if I'm reading your 
description correctly.


If you want all privileged users to be able to see tickets in the queue, 
grant the relevant rights to the SYSTEM group Privileged under the 
queue's group rights (Admin -> Queues -> Click Queue Name -> Group 
Rights) (/Admin/Queues/GroupRights.html?id=XXX).


If you want owners of tickets to see the tickets they own in the queue 
but not other tickets (which I think is a little different than what you 
describe above), then grant the relevant rights to the Owner role in the 
queue's group rights.

Re: [rt-users] Group rights

[Duncan McEwan]

On Tue, 20 Oct 2015 11:45:54 +0100
Kobus Bensch  wrote:


> I have now tried every setting possible. How do I give a group 
> permissions to see all the tickets in a particular queue, even if the 
> ticket owner has been changed to a person not in that group?

I may be misinterpreting what you want here, but this sounds like you just need
to grant the appropriate rights for that queue to that group and then also to
the owner role for that queue (so that owners who aren't members of the group
have the same rights).

So select the queue, click on "group rights", enter the group name into the
"Add Group" box and then enable the rights you want under the "General rights",
"Rights for Staff" and "Rights for Administrators" categories.

This is the way all our queues are set up but I did it quite a while ago so
exactly which rights are strictly needed to allow the above and which we have
added for other purposes I can't now recall...!  But I'd think you'd need at
least "View Queue" and "View Ticket Summaries" under "General Rights", as well
as "Modify Tickets", "Own Tickets", "Take Tickets", "View exact outgoing email
messages and their recipients" and "View ticket private commentary" under
"Rights for Staff".

 It's been a while since

Re: [rt-users] group rights do not work

[Glenn E. Sieb]

On 09/26/2012 02:32 PM, Tim Dunphy wrote:

Hello,

I am having a problem in getting and rt group to see it's queue and 
ticket and ONLY it's queue and tickets. I believe i have everything 
setup correctly in the interface, which leads me to believe I may be 
having a technical problem with my RT installation.


 I'll use screenshots primarily to describe the issue.

 I've created an RT user (in the RT system only) and when he logs in 
this is all he can see


He is a member of a group called MMTECH. Here is how the group rights 
are assigned.


I gave him these individual rightsAnd yet he can only see the 
interface shot in the first screenshot I include. I have no idea why 
and I very much need to correct this situation so that a new group can 
start using RT.


Again, they need to see their queue and tickets and ONLY their queue 
and tickets. If I give the user the Let this user be granted rights 
(Privileged) the members can see ALL queues and tickets which si not 
what we want.


PLEASE help as I really need to solve this problem.




Try adding group rights to *queues*... adding group rights to a group 
for a member only gives them rights to that group, not to any queue. You 
need to go to a queue and go to Group Rights in the *queue* and assign 
rights to the MMTECH group in that queue...


(Click Tools, Configuration, Queues, (Name of Group you want to add 
group rights to),  Group Rights, type in MMTECH in the Add Group area, 
and assign rights.)


Make sense?
Best,
--Glenn

--
Glenn E. Sieb
System Administrator
+1 201 809-4958

eFashionSolutions
80 Enterprise Avenue South
Secaucus, NJ 07094



Final RT training for 2012 in Atlanta, GA - October 23  24
 http://bestpractical.com/training

We're hiring! http://bestpractical.com/jobs

Re: [rt-users] group rights do not work

[Glenn E. Sieb]

On 09/26/2012 05:28 PM, Tim Dunphy wrote:

Hi Glenn,

 Thanks for your input. However no progress has been made tho I 
followed your advice to the letter.




Silly question..

Can you go to the mmtech *user* and click Memberships?

What's the output of that?

Best,
--Glenn

--
Glenn E. Sieb
System Administrator
+1 201 809-4958

eFashionSolutions
80 Enterprise Avenue South
Secaucus, NJ 07094



Final RT training for 2012 in Atlanta, GA - October 23  24
 http://bestpractical.com/training

We're hiring! http://bestpractical.com/jobs

Re: [rt-users] group rights

[Kenneth Crocker]

Tariq,


OR, you could also write a scrip that adds the other person of the 
group as a requestor and then set the privilege ShowTicket for 
Requestors only. You didn't say anything about owners, so I am 
assuming when you say his ticket, you meant the requestor. Hope this 
helps.


Kenn
LBNL

On 1/22/2009 8:22 AM, Todd Chapman wrote:
 Write a scrip that adds the user's group as an AdminCc on the ticket. 
 Then give the AdminCc role the proper rights.
 
 On Thu, Jan 22, 2009 at 11:19 AM, Tariq Doukkali 
 tariq.doukk...@autoform.de mailto:tariq.doukk...@autoform.de wrote:
 
 Hello,
 
  
 
 How can I configure I on RT?
 
  
 
 1.   I have 2 Groups (group1, group2)
 
 2.   Users:
 
 -  User_1_1 is member of group1
 
 -  User_1_2 is member of group 1
 
 -  User_2_1 is member of group2
 
 -  User_2_2 is member of group2
 
 3.   Queues:
 
 -  Queue1
 
  
 
 4.   Users of group1 as well as of group2 create ticket on queue1.
 
  
 
  
 
 How can I configure it, if user_1_1 login in, he can show only his
 Tickets and  tickets of user_1_2 (who is on the same group) but not
 tickets of User_2_1 or User_2_2.
 
  
 
 I am using RT 3.8.1
 
  
 
  
 
 Many thanks
 
  
 
 
 ___
 http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
 
 Community help: http://wiki.bestpractical.com
 Commercial support: sa...@bestpractical.com
 mailto:sa...@bestpractical.com
 
 
 Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
 Buy a copy at http://rtbook.bestpractical.com
 
 
 
 
 
 ___
 http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
 
 Community help: http://wiki.bestpractical.com
 Commercial support: sa...@bestpractical.com
 
 
 Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
 Buy a copy at http://rtbook.bestpractical.com

___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sa...@bestpractical.com


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] Group Rights on System Groups Role Groups

[Jesse Vincent]

On Apr 24, 2007, at 12:01 PM, Stephen Turner wrote:


Hello all,

Something came up recently that I'm surprise I haven't noticed before.

In our RT system, we distribute queue administration to the  
business owners of the queues, and a queue admin recently reported  
that on the Group Rights screen for his queue, he could not see any  
groups listed under System Groups or Roles.


What this means is that he can't see the full picture of group  
access to his queue - for example he can't see that Everyone has  
CreateTicket in his queue.


Digging into the code shows me that the SeeGroup privilege controls  
what groups you see on the GroupRights page, and apparently nobody  
(except super users) have this privilege on the system groups or  
role groups. I presume this is the RT default, as we haven't  
fiddled with this.


So next I hunted for a config screen that would allow me to set  
access on these special groups, but I couldn't find one. I can hack  
the group-rights-on-a-group URL with the special group's IDs, but  
that doesn't feel quite kosher. I started wondering why this  
function was hidden, and if I'm causing problems for myself if I  
give SeeGroup on the Everyone, Privileged, AdminCc etc groups to  
all my privileged RT users.


Any thoughts or advice? Anyone encountered this before?


Yikes/Oops. I don't have a great answer for you. I suspect that these  
groups should be hardwired to be viewable by privileged users.






Thanks,
Steve


Stephen Turner
Senior Programmer/Analyst - Client Support Services
MIT Information Services and Technology (IST)


___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly  
Media. Buy a copy at http://rtbook.bestpractical.com






PGP.sig
Description: This is a digitally signed message part
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com