Re: [rt-users] limit ticket list display on requestor login
Giuseppe, Thanks a bunch. Now that I KNOW how to spell it, I'll never need to use it again. LOL! Kenn LBNL On Thu, Jun 16, 2011 at 1:39 AM, Giuseppe Sollazzo gsoll...@sgul.ac.ukwrote: Hi Kenneth, thanks for the clarification - much appreciated. The way privileges work is more similar to CSS than Data Base permissions, I would say. Which makes perfect sense in this kind of context, as it simplifies greatly the work of admins. We are a much smaller institution than you are I guess, so our Queues are limited in number luckily. Still the hierarchical approach makes it very easy. I think this e-mail conversation would make a perfect example for beginners on the wiki. And btw, all native British English speakers agree on your spelling of 'Hierarchical' :-P Many thanks, Giuseppe On 15/06/11 18:08, Kenneth Crocker wrote: Giuseppe, You said, Basically, the way I interpret this means that if I want my users to be able to create tickets via the web interface, I need to provide them with both CreateTicket and SeeQueue. As a side effect, privileged users couldn't be prevented from seeing a list of other people's tickets (albeit not in details) in that queue if I want them to be able to create tickets in that same queue. Is my interpretation of what you write correct? It seems it's missing the effect of ShowTicket, which allows the grantee to see the list of tickets. Yes, that is correct. You CAN, however, modify your configuration (/opt/rt3/etc/RT_SiteConfig.pm) to autocreate as UnPrivileged. The changes you made looked good, by the way. It's important to understand that *PRIVILEGES CANNOT BE PROHIBITED, ONLY GRANTED*. That means that if I grant a right GLOBALLY, then anything I do for that right at any lower level is *ignored*. *I've already granted that right GLOBALLY*. Rights are HIERARCHICAL (I *REALLY* need to find out how to spell that word correctly ;-). To further understand privileges, let me give you this example: I have over 100 Queues, so I don't want everyone to have such a huge drop-down list, so I grant SeeQueue to a User-defined group named -Users (where is the Queue name) at the Queue level. Also, I don't want just anyone to be able to create tickets in this particular Queue so I grant CreateTicket to the same Group at the Queue level. I do NOT grant Create Ticket ANYWHERE Globally because that would * override* what I wanted at the Queue level FOR THAT RIGHT and allow others to be able to create tickets in this particular Queue, regardless of what I granted at the Queue level. I want my Requestors to see only their ticket, so I grant ShowTicket to the Requestor role at the Queue level. Also, I want those same users (-Users) to be able to update a specific Custom Field (called Need-By Date) in these tickets so under Config-Custom Fields-(select CF)-Group Rights I grant SeeCustomField and ModifyCustomField to that group. Now, anyone in that group can see this Queue (on the WebUI), create a ticket (either on the WebUI or Email), See basic metadata in this ticket (except comments because I didn't grant that right) AND be able to see AND update the value in the CF Need-By Date. I actually have some Custom Fields that I update with values (using scrips) that I use for other functions (like searches and Dashboards, etc) and NO ONE in the system, except a SuperUser can see those CF's or Modify them in ANY ticket. This is the kind of flexibility BP has designed into RT. I've always said that everything has a cost. Well, the cost of flexibility is complexity. Some stuff in RT CAN be tough to grasp at first. But once you SEE it, it makes perfect sense. I hope this helps. Let me know if I can be of further assistence. Kenn LBNL On Wed, Jun 15, 2011 at 1:56 AM, Giuseppe Sollazzogsoll...@sgul.ac.uk wrote: Hi Kenneth, that helped a lot, thanks. Pitching is a good idea, although us Europeans don't get baseball too much ;-) I managed to get things working as suggested by you: Global - Roles Requestor: ShowTicket Queue X - System Everyone: CreateTicket SeeQueue with this I get exactly what I'm after: users can see their own tickets only, unless they are given more permissions. However, just a clarification. At some point you write: CreateTicket - This right has NOTHING to do with seeing it, modifying it, etc. It just means that RT will let someone CREATE it. That's it. However, because you might want to know who created it as well as who wants the work done, RT keeps track of the creator AND the Requestor. They are not always the same. I could easily grant CreateTicket to everyone and if I didn't grant ShowTicket to anyone, no one would see it except the user with SuperUser rights. SeeQueue - This means you can see a Queue (all if granted Globally) in the Drop-down list of Queues when wanting to create/look at a ticket. If I grant SeeQueue and do not grant CreateTicket
Re: [rt-users] limit ticket list display on requestor login
Hi Kenneth, that helped a lot, thanks. Pitching is a good idea, although us Europeans don't get baseball too much ;-) I managed to get things working as suggested by you: Global - Roles Requestor: ShowTicket Queue X - System Everyone: CreateTicket SeeQueue with this I get exactly what I'm after: users can see their own tickets only, unless they are given more permissions. However, just a clarification. At some point you write: CreateTicket - This right has NOTHING to do with seeing it, modifying it, etc. It just means that RT will let someone CREATE it. That's it. However, because you might want to know who created it as well as who wants the work done, RT keeps track of the creator AND the Requestor. They are not always the same. I could easily grant CreateTicket to everyone and if I didn't grant ShowTicket to anyone, no one would see it except the user with SuperUser rights. SeeQueue - This means you can see a Queue (all if granted Globally) in the Drop-down list of Queues when wanting to create/look at a ticket. If I grant SeeQueue and do not grant CreateTicket you will see there are xx numbers of ticket in a Queue but not be able to create a ticket there. Basically, the way I interpret this means that if I want my users to be able to create tickets via the web interface, I need to provide them with both CreateTicket and SeeQueue. As a side effect, privileged users couldn't be prevented from seeing a list of other people's tickets (albeit not in details) in that queue if I want them to be able to create tickets in that same queue. Is my interpretation of what you write correct? It seems it's missing the effect of ShowTicket, which allows the grantee to see the list of tickets. A couple of improvements that would be great to have in future are - bulk update of users (e.g. I imported all users as privileged, it turns out I wanted them unprivileged, I wish I could do it from within the interface rather than by scripting). - customising RT at a glance made simpler - I know you can create dashboards, still it seems not that flexible? Thanks again for your kind help and accurate explanation. Best regards, Giuseppe -- Giuseppe Sollazzo Senior Systems Analyst Computing Services Information Services St. George's, University Of London Cranmer Terrace London SW17 0RE Email: gsoll...@sgul.ac.uk Direct Dial: +44 20 8725 5160 Fax: +44 20 8725 3583
Re: [rt-users] limit ticket list display on requestor login
On Wed, Jun 15, 2011 at 09:56:02AM +0100, Giuseppe Sollazzo wrote: - customising RT at a glance made simpler - I know you can create dashboards, still it seems not that flexible? As a SuperUser, Configuration - Global - RT at a Glance -kevin pgpGz4INKnaCT.pgp Description: PGP signature
Re: [rt-users] limit ticket list display on requestor login
Giuseppe, I will not give the Everyone group rights other than Create Ticket and ReplyToTicket (and this is only to get the email side of things working properly).I also would not give any rights to the Unprivileged group. For your purposes I would suggest you give the Requestor Role rights to ShowTicket/ModifyTicket/ReplyToTicket, and if your requestors are Unprivileged then their login will redirect them to the SelfService portal which is restricted. Hope that helps; Regards; Roy -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users- boun...@lists.bestpractical.com] On Behalf Of Giuseppe Sollazzo Sent: 10 June 2011 10:43 To: rt-users@lists.bestpractical.com Subject: [rt-users] limit ticket list display on requestor login Hi, I guess I'm not getting this right. I'd like that a user, upon login, were able to only see the tickets for which they are a requestor (in a given queue). Let's say I have a group G and a queue Q. If rights for G on Q are Create tickets and View queue obviously they see all tickets in the queue, whereas Create tickets alone does not allow them to see any ticket. To keep things tidy, I've also given the same rights to Everyone, Privileged, Unprivileged. Is what I want to do feasible with just permissions management? Thanks, Giuseppe -- Giuseppe Sollazzo Senior Systems Analyst Computing Services Information Services St. George's, University Of London Cranmer Terrace London SW17 0RE Email: gsoll...@sgul.ac.uk Direct Dial: +44 20 8725 5160 Fax: +44 20 8725 3583
Re: [rt-users] limit ticket list display on requestor login
Uhm... it seems not to behave like I would like to. Basically I have a privileged user U that is part of group G. On queue Q group G has right to show/modify/reply, whereas the system privileged group does not have any right on the queue. Also, on queue Q role Requestor has right to show/modify/reply, whereas the system privileged group does not have any right on the queue. Still, U can see all tickets in queue Q, even those he's not a requestor for. So I'm still looking for a way to hide tickets for which a user in the group G is not a requestor for from the dashboard, if that's at all possible :) G On 10/06/11 12:06, Raed El-Hames wrote: Giuseppe, I will not give the Everyone group rights other than Create Ticket and ReplyToTicket (and this is only to get the email side of things working properly).I also would not give any rights to the Unprivileged group. For your purposes I would suggest you give the Requestor Role rights to ShowTicket/ModifyTicket/ReplyToTicket, and if your requestors are Unprivileged then their login will redirect them to the SelfService portal which is restricted. Hope that helps; Regards; Roy -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users- boun...@lists.bestpractical.com] On Behalf Of Giuseppe Sollazzo Sent: 10 June 2011 10:43 To: rt-users@lists.bestpractical.com Subject: [rt-users] limit ticket list display on requestor login Hi, I guess I'm not getting this right. I'd like that a user, upon login, were able to only see the tickets for which they are a requestor (in a given queue). Let's say I have a group G and a queue Q. If rights for G on Q are Create tickets and View queue obviously they see all tickets in the queue, whereas Create tickets alone does not allow them to see any ticket. To keep things tidy, I've also given the same rights to Everyone, Privileged, Unprivileged. Is what I want to do feasible with just permissions management? Thanks, Giuseppe -- Giuseppe Sollazzo Senior Systems Analyst Computing Services Information Services St. George's, University Of London Cranmer Terrace London SW17 0RE Email: gsoll...@sgul.ac.uk Direct Dial: +44 20 8725 5160 Fax: +44 20 8725 3583 -- Giuseppe Sollazzo Senior Systems Analyst Computing Services Information Services St. George's, University Of London Cranmer Terrace London SW17 0RE Email: gsoll...@sgul.ac.uk Direct Dial: +44 20 8725 5160 Fax: +44 20 8725 3583
Re: [rt-users] limit ticket list display on requestor login
On Fri, Jun 10, 2011 at 01:45:55PM +0100, Giuseppe Sollazzo wrote: Uhm... it seems not to behave like I would like to. Basically I have a privileged user U that is part of group G. On queue Q group G has right to show/modify/reply, whereas the system privileged group does not have any right on the queue. Also, on queue Q role Requestor has right to show/modify/reply, whereas the system privileged group does not have any right on the queue. Still, U can see all tickets in queue Q, even those he's not a requestor for. So I'm still looking for a way to hide tickets for which a user in the group G is not a requestor for from the dashboard, if that's at all possible :) Sounds like you have some global rights getting in the way. -kevin On 10/06/11 12:06, Raed El-Hames wrote: Giuseppe, I will not give the Everyone group rights other than Create Ticket and ReplyToTicket (and this is only to get the email side of things working properly).I also would not give any rights to the Unprivileged group. For your purposes I would suggest you give the Requestor Role rights to ShowTicket/ModifyTicket/ReplyToTicket, and if your requestors are Unprivileged then their login will redirect them to the SelfService portal which is restricted. Hope that helps; Regards; Roy -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users- boun...@lists.bestpractical.com] On Behalf Of Giuseppe Sollazzo Sent: 10 June 2011 10:43 To: rt-users@lists.bestpractical.com Subject: [rt-users] limit ticket list display on requestor login Hi, I guess I'm not getting this right. I'd like that a user, upon login, were able to only see the tickets for which they are a requestor (in a given queue). Let's say I have a group G and a queue Q. If rights for G on Q are Create tickets and View queue obviously they see all tickets in the queue, whereas Create tickets alone does not allow them to see any ticket. To keep things tidy, I've also given the same rights to Everyone, Privileged, Unprivileged. Is what I want to do feasible with just permissions management? Thanks, Giuseppe -- Giuseppe Sollazzo Senior Systems Analyst Computing Services Information Services St. George's, University Of London Cranmer Terrace London SW17 0RE Email: gsoll...@sgul.ac.uk Direct Dial: +44 20 8725 5160 Fax: +44 20 8725 3583 -- Giuseppe Sollazzo Senior Systems Analyst Computing Services Information Services St. George's, University Of London Cranmer Terrace London SW17 0RE Email: gsoll...@sgul.ac.uk Direct Dial: +44 20 8725 5160 Fax: +44 20 8725 3583 pgp47iGKWDwLY.pgp Description: PGP signature
Re: [rt-users] limit ticket list display on requestor login
Hi Kevin, that was my first thought - however in global group rights all checkboxes in general/staff/admin rights are unticked for System, Roles, and for the given user group. Or is it maybe how I shoudl manage this, by adding show ticket to the global one? Just in case I have explained myself improperly, what I'm trying to achieve is that users in the G group are shown in the dashboard a list of tickets in the queue Q for which they are requestors; such list should exclude tickets in the same queue for which they are not requestors. Thanks, G On 10/06/11 14:03, Kevin Falcone wrote: On Fri, Jun 10, 2011 at 01:45:55PM +0100, Giuseppe Sollazzo wrote: Uhm... it seems not to behave like I would like to. Basically I have a privileged user U that is part of group G. On queue Q group G has right to show/modify/reply, whereas the system privileged group does not have any right on the queue. Also, on queue Q role Requestor has right to show/modify/reply, whereas the system privileged group does not have any right on the queue. Still, U can see all tickets in queue Q, even those he's not a requestor for. So I'm still looking for a way to hide tickets for which a user in the group G is not a requestor for from the dashboard, if that's at all possible :) Sounds like you have some global rights getting in the way. -kevin On 10/06/11 12:06, Raed El-Hames wrote: Giuseppe, I will not give the Everyone group rights other than Create Ticket and ReplyToTicket (and this is only to get the email side of things working properly).I also would not give any rights to the Unprivileged group. For your purposes I would suggest you give the Requestor Role rights to ShowTicket/ModifyTicket/ReplyToTicket, and if your requestors are Unprivileged then their login will redirect them to the SelfService portal which is restricted. Hope that helps; Regards; Roy -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users- boun...@lists.bestpractical.com] On Behalf Of Giuseppe Sollazzo Sent: 10 June 2011 10:43 To: rt-users@lists.bestpractical.com Subject: [rt-users] limit ticket list display on requestor login Hi, I guess I'm not getting this right. I'd like that a user, upon login, were able to only see the tickets for which they are a requestor (in a given queue). Let's say I have a group G and a queue Q. If rights for G on Q are Create tickets and View queue obviously they see all tickets in the queue, whereas Create tickets alone does not allow them to see any ticket. To keep things tidy, I've also given the same rights to Everyone, Privileged, Unprivileged. Is what I want to do feasible with just permissions management? Thanks, Giuseppe -- Giuseppe Sollazzo Senior Systems Analyst Computing Services Information Services St. George's, University Of London Cranmer Terrace London SW17 0RE Email: gsoll...@sgul.ac.uk Direct Dial: +44 20 8725 5160 Fax: +44 20 8725 3583 -- Giuseppe Sollazzo Senior Systems Analyst Computing Services Information Services St. George's, University Of London Cranmer Terrace London SW17 0RE Email: gsoll...@sgul.ac.uk Direct Dial: +44 20 8725 5160 Fax: +44 20 8725 3583 -- Giuseppe Sollazzo Senior Systems Analyst Computing Services Information Services St. George's, University Of London Cranmer Terrace London SW17 0RE Email: gsoll...@sgul.ac.uk Direct Dial: +44 20 8725 5160 Fax: +44 20 8725 3583
Re: [rt-users] limit ticket list display on requestor login
The fist question Giuseppe , is user U privileged or not? If not then by default he should have been redirected to SelfService/index.html, which again by default should only display /SelfService/Elements/MyRequests If he is privileged (then I would ask why? -- because according to what you need below he does not need to be privileged), if he has to be privileged then you may have to do some coding .. I do think there is a limitation in RT , you should need to give the SeeQueue permission to be able to see it in the dropdown ? I would have thought the CreateTicket permission should be enough. As I suggested make user U unprivileged is the easiest solution. Good luck Roy -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users- boun...@lists.bestpractical.com] On Behalf Of Giuseppe Sollazzo Sent: 10 June 2011 14:15 To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] limit ticket list display on requestor login Hi Kevin, that was my first thought - however in global group rights all checkboxes in general/staff/admin rights are unticked for System, Roles, and for the given user group. Or is it maybe how I shoudl manage this, by adding show ticket to the global one? Just in case I have explained myself improperly, what I'm trying to achieve is that users in the G group are shown in the dashboard a list of tickets in the queue Q for which they are requestors; such list should exclude tickets in the same queue for which they are not requestors. Thanks, G On 10/06/11 14:03, Kevin Falcone wrote: On Fri, Jun 10, 2011 at 01:45:55PM +0100, Giuseppe Sollazzo wrote: Uhm... it seems not to behave like I would like to. Basically I have a privileged user U that is part of group G. On queue Q group G has right to show/modify/reply, whereas the system privileged group does not have any right on the queue. Also, on queue Q role Requestor has right to show/modify/reply, whereas the system privileged group does not have any right on the queue. Still, U can see all tickets in queue Q, even those he's not a requestor for. So I'm still looking for a way to hide tickets for which a user in the group G is not a requestor for from the dashboard, if that's at all possible :) Sounds like you have some global rights getting in the way. -kevin On 10/06/11 12:06, Raed El-Hames wrote: Giuseppe, I will not give the Everyone group rights other than Create Ticket and ReplyToTicket (and this is only to get the email side of things working properly).I also would not give any rights to the Unprivileged group. For your purposes I would suggest you give the Requestor Role rights to ShowTicket/ModifyTicket/ReplyToTicket, and if your requestors are Unprivileged then their login will redirect them to the SelfService portal which is restricted. Hope that helps; Regards; Roy -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users- boun...@lists.bestpractical.com] On Behalf Of Giuseppe Sollazzo Sent: 10 June 2011 10:43 To: rt-users@lists.bestpractical.com Subject: [rt-users] limit ticket list display on requestor login Hi, I guess I'm not getting this right. I'd like that a user, upon login, were able to only see the tickets for which they are a requestor (in a given queue). Let's say I have a group G and a queue Q. If rights for G on Q are Create tickets and View queue obviously they see all tickets in the queue, whereas Create tickets alone does not allow them to see any ticket. To keep things tidy, I've also given the same rights to Everyone, Privileged, Unprivileged. Is what I want to do feasible with just permissions management? Thanks, Giuseppe -- Giuseppe Sollazzo Senior Systems Analyst Computing Services Information Services St. George's, University Of London Cranmer Terrace London SW17 0RE Email: gsoll...@sgul.ac.uk Direct Dial: +44 20 8725 5160 Fax: +44 20 8725 3583 -- Giuseppe Sollazzo Senior Systems Analyst Computing Services Information Services St. George's, University Of London Cranmer Terrace London SW17 0RE Email: gsoll...@sgul.ac.uk Direct Dial: +44 20 8725 5160 Fax: +44 20 8725 3583 -- Giuseppe Sollazzo Senior Systems Analyst Computing Services Information Services St. George's, University Of London Cranmer Terrace London SW17 0RE Email: gsoll...@sgul.ac.uk Direct Dial: +44 20 8725 5160 Fax: +44 20 8725 3583
Re: [rt-users] limit ticket list display on requestor login
Sorry Giuseppe I don't have much knowledge of the LDAP plugin. Under normal circumstances (ie RT auth), I would write script to go through the users need changing and set Privileged to 0 foreach $MyUserId (@my_users_to_change) { my $u=RT::User-new(RT::SystemUser); my ($id, $msg) = $u-Load($MyUserId); if ($id) { $u-SetPrivileged(0); } } Regards; Roy -Original Message- From: Giuseppe Sollazzo [mailto:gsoll...@sgul.ac.uk] Sent: 10 June 2011 15:33 To: Raed El-Hames Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] limit ticket list display on requestor login Hi Raed, thanks a lot as that explains it. This user is Privileged. Removing the privilege everything works as expected. What puzzles me is the relationship between system groups and user defined groups. I would have expected to have the possibility of limiting permissions to Privileged users in a group rather then having them as Unprivileged. But never mind :-) Now the problem I have is that all my imported users are Privileged, and reimporting them does not seem to change this (even with $LDAPUpdateUsers=1). Do you reckon there's a way to bulk update users and make them Unprivileged? Thanks, Giuseppe On 10/06/11 14:50, Raed El-Hames wrote: The fist question Giuseppe , is user U privileged or not? If not then by default he should have been redirected to SelfService/index.html, which again by default should only display /SelfService/Elements/MyRequests If he is privileged (then I would ask why? -- because according to what you need below he does not need to be privileged), if he has to be privileged then you may have to do some coding .. I do think there is a limitation in RT , you should need to give the SeeQueue permission to be able to see it in the dropdown ? I would have thought the CreateTicket permission should be enough. As I suggested make user U unprivileged is the easiest solution. Good luck Roy -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users- boun...@lists.bestpractical.com] On Behalf Of Giuseppe Sollazzo Sent: 10 June 2011 14:15 To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] limit ticket list display on requestor login Hi Kevin, that was my first thought - however in global group rights all checkboxes in general/staff/admin rights are unticked for System, Roles, and for the given user group. Or is it maybe how I shoudl manage this, by adding show ticket to the global one? Just in case I have explained myself improperly, what I'm trying to achieve is that users in the G group are shown in the dashboard a list of tickets in the queue Q for which they are requestors; such list should exclude tickets in the same queue for which they are not requestors. Thanks, G On 10/06/11 14:03, Kevin Falcone wrote: On Fri, Jun 10, 2011 at 01:45:55PM +0100, Giuseppe Sollazzo wrote: Uhm... it seems not to behave like I would like to. Basically I have a privileged user U that is part of group G. On queue Q group G has right to show/modify/reply, whereas the system privileged group does not have any right on the queue. Also, on queue Q role Requestor has right to show/modify/reply, whereas the system privileged group does not have any right on the queue. Still, U can see all tickets in queue Q, even those he's not a requestor for. So I'm still looking for a way to hide tickets for which a user in the group G is not a requestor for from the dashboard, if that's at all possible :) Sounds like you have some global rights getting in the way. -kevin On 10/06/11 12:06, Raed El-Hames wrote: Giuseppe, I will not give the Everyone group rights other than Create Ticket and ReplyToTicket (and this is only to get the email side of things working properly).I also would not give any rights to the Unprivileged group. For your purposes I would suggest you give the Requestor Role rights to ShowTicket/ModifyTicket/ReplyToTicket, and if your requestors are Unprivileged then their login will redirect them to the SelfService portal which is restricted. Hope that helps; Regards; Roy -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users- boun...@lists.bestpractical.com] On Behalf Of Giuseppe Sollazzo Sent: 10 June 2011 10:43 To: rt-users@lists.bestpractical.com Subject: [rt-users] limit ticket list display on requestor login Hi, I guess I'm not getting this right. I'd like that a user, upon login, were able to only see the tickets for which they are a requestor (in a given queue). Let's say I have a group G and a queue Q. If rights for G on Q are Create tickets and View queue obviously they see all tickets in the queue, whereas Create tickets alone does not allow them to see any ticket. To keep things tidy, I've also given
Re: [rt-users] limit ticket list display on requestor login
Hi Raed, thanks for your very kind help. I was hoping for the capability of running bulk operations on users to be added to the user interface at some point :-) G On 10/06/11 16:12, Raed El-Hames wrote: Sorry Giuseppe I don't have much knowledge of the LDAP plugin. Under normal circumstances (ie RT auth), I would write script to go through the users need changing and set Privileged to 0 foreach $MyUserId (@my_users_to_change) { my $u=RT::User-new(RT::SystemUser); my ($id, $msg) = $u-Load($MyUserId); if ($id) { $u-SetPrivileged(0); } } Regards; Roy -Original Message- From: Giuseppe Sollazzo [mailto:gsoll...@sgul.ac.uk] Sent: 10 June 2011 15:33 To: Raed El-Hames Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] limit ticket list display on requestor login Hi Raed, thanks a lot as that explains it. This user is Privileged. Removing the privilege everything works as expected. What puzzles me is the relationship between system groups and user defined groups. I would have expected to have the possibility of limiting permissions to Privileged users in a group rather then having them as Unprivileged. But never mind :-) Now the problem I have is that all my imported users are Privileged, and reimporting them does not seem to change this (even with $LDAPUpdateUsers=1). Do you reckon there's a way to bulk update users and make them Unprivileged? Thanks, Giuseppe On 10/06/11 14:50, Raed El-Hames wrote: The fist question Giuseppe , is user U privileged or not? If not then by default he should have been redirected to SelfService/index.html, which again by default should only display /SelfService/Elements/MyRequests If he is privileged (then I would ask why? -- because according to what you need below he does not need to be privileged), if he has to be privileged then you may have to do some coding .. I do think there is a limitation in RT , you should need to give the SeeQueue permission to be able to see it in the dropdown ? I would have thought the CreateTicket permission should be enough. As I suggested make user U unprivileged is the easiest solution. Good luck Roy -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users- boun...@lists.bestpractical.com] On Behalf Of Giuseppe Sollazzo Sent: 10 June 2011 14:15 To: rt-users@lists.bestpractical.com Subject: Re: [rt-users] limit ticket list display on requestor login Hi Kevin, that was my first thought - however in global group rights all checkboxes in general/staff/admin rights are unticked for System, Roles, and for the given user group. Or is it maybe how I shoudl manage this, by adding show ticket to the global one? Just in case I have explained myself improperly, what I'm trying to achieve is that users in the G group are shown in the dashboard a list of tickets in the queue Q for which they are requestors; such list should exclude tickets in the same queue for which they are not requestors. Thanks, G On 10/06/11 14:03, Kevin Falcone wrote: On Fri, Jun 10, 2011 at 01:45:55PM +0100, Giuseppe Sollazzo wrote: Uhm... it seems not to behave like I would like to. Basically I have a privileged user U that is part of group G. On queue Q group G has right to show/modify/reply, whereas the system privileged group does not have any right on the queue. Also, on queue Q role Requestor has right to show/modify/reply, whereas the system privileged group does not have any right on the queue. Still, U can see all tickets in queue Q, even those he's not a requestor for. So I'm still looking for a way to hide tickets for which a user in the group G is not a requestor for from the dashboard, if that's at all possible :) Sounds like you have some global rights getting in the way. -kevin On 10/06/11 12:06, Raed El-Hames wrote: Giuseppe, I will not give the Everyone group rights other than Create Ticket and ReplyToTicket (and this is only to get the email side of things working properly).I also would not give any rights to the Unprivileged group. For your purposes I would suggest you give the Requestor Role rights to ShowTicket/ModifyTicket/ReplyToTicket, and if your requestors are Unprivileged then their login will redirect them to the SelfService portal which is restricted. Hope that helps; Regards; Roy -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users- boun...@lists.bestpractical.com] On Behalf Of Giuseppe Sollazzo Sent: 10 June 2011 10:43 To: rt-users@lists.bestpractical.com Subject: [rt-users] limit ticket list display on requestor login Hi, I guess I'm not getting this right. I'd like that a user, upon login, were able to only see the tickets for which they are a requestor (in a given queue). Let's say I have a group G and a queue Q. If rights for G on Q are Create tickets and View queue obviously they see all tickets in the queue, whereas Create tickets alone does not allow them to see any ticket. To keep