Colleagues, I'm sorry for putting so much confusion into the case. I'm an IT service provider for company Acme. I support Acme's ERP system. My agents are trustworthy. Acme has users Ann and Mallory. Ann is a financial controller. Mallory is salesman. Mallory wants to hijack Ann's privilege to release credit blocked orders in Acme's ERP to satisfy his customer with credit block.. Mallory tries to login 5 times using Ann's user id and causes it to lock. Mallory starts to watch Company tickets waiting for Ann to raise a password reset request with me. Ann raises a password reset request. Mallory continues watching waiting for the new password to appear on Ann's ticket. Before Ann has a chance to change her new password, Mallory logs in as Ann and releases the blocked order.
I want to control an access to tickets from my customer's users. Can you suggest a way to resolve this case? 2008/11/11 Jie(Jack) Zhu <[EMAIL PROTECTED]> > Sorry Anton, I do not quite understand what the point is. > > > > Suppose you have the rights to reset a password for a user. Don't you have > the rights to do the search on this user and relatives? > > This is the problem you trust your agent or not. > > > > I think the access control is quite advanced in OTRS. You have Role and > Group. You can create a role and put groups in it. Then add the role to the > users. > > > > If you want, you can put different companies into different groups and only > set the agent on the groups they are responsible to. This way could narrow > down the risk? > > In this way, you even can set each user in each group. :) > > > > Regards, > > Jack > > > ------------------------------ > > *From:* Anton Gubar'kov [mailto:[EMAIL PROTECTED] > *Sent:* 2008年11月10日 14:41 PM > *To:* User questions and discussions about OTRS. > *Subject:* [otrs] company tickets access control > > > > Hello, list. > > I've come across a problem I can't overcome. > Suppose I have a request to reset a password on some account for a user due > to account locked or password forgotten. I thought I could communicate the > new password to a user using external-email or external-note article. But it > is really too dangerous to do that! > > The whole company tickets collection is searchable! I could find no way > control access to the tickets in one CustomerID except one using queues. The > queues are used for different purpose usually. > The alternative is to quit using CustomerID and treat every user as > individual customer. This is not convenient either as some bosses at > customers want to watch the requests of their subordinates. > > This is the simplest example that comes to mind. There is a lot more > sensitive information circulating in the process of IT Service Delivery that > should not be shared across entire customer. > > I would be grateful for suggestions to solve this security issue. > > Regards, > Anton Gubarkov. > > _______________________________________________ > OTRS mailing list: otrs - Webpage: http://otrs.org/ > Archive: http://lists.otrs.org/pipermail/otrs > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs >
_______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
