Jack,
in that case, user test2 can't read test1's tickets at all! That was
not the point, right? The requirement was that only passwords were
hidden, if I understood correctly?
I guess the only technical solution if you want to solve it in OTRS is
to create a new kind of email communication which is 'secret' and
hidden for other customer users. This would involve quite a lot of
hacking and I would advise against it; see my earlier mail for my
proposed solutions.

Regards,
-- 
Michiel Beijen
Software Consultant
+31 6 - 457 42 418
Bee Free IT + http://beefreeit.nl


2008/11/12 Jie(Jack) Zhu <[EMAIL PROTECTED]>:
> Hi Anton,
>
>
>
> Based on your case, I built up the following settings:
>
>
>
> 1.       Be understood the "User" in OTRS is actually Agent not Customer.
>
> 2.       Went to Sysconfig -> Frontend::Customer , enable
> "CustomerGroupSupport" and Delete the default value (Users, Info) from the
> "CustomerGroupAlwaysGroups". This way the customers are not longer in the
> same group unless you set up another common group for them.
>
> 3.       Created test1, test2 as 2 customers with same customer ID, created
> CustomerSubmit1, CustomerSubmit2 as 2 Queues. Created TestGroup1, TestGroup2
> as 2 test groups.
>
> 4.       Assigned test1 to TestGroup1 and has read and write rights,
> assigned test1 to TestGroup2 and has read rights only. Assigned test2 to
> TestGroup2 and has rights to read and write.
>
> 5.       Assigned test1 to queue CustomerSubmit1, assigned test2 to queue
> CustomerSubmit2.
>
> 6.       Now, user test2 can not read user test1's tickets, despite they are
> under the same CustomerID.
>
>
>
> Jack
>
>
>
> ________________________________
>
> From: Anton Gubar'kov [mailto:[EMAIL PROTECTED]
> Sent: 2008年11月11日 11:36 AM
> To: User questions and discussions about OTRS.
> Subject: Re: [otrs] company tickets access control
>
>
>
> Colleagues, I'm sorry for putting so much confusion into the case.
>
>  I'm an IT service provider for company Acme. I support Acme's ERP system.
>  My agents are trustworthy.
>  Acme has users Ann and Mallory. Ann is a financial controller. Mallory is
> salesman.
>  Mallory wants to hijack Ann's privilege to release credit blocked orders in
> Acme's ERP to satisfy his customer with credit block..
>  Mallory tries to login 5 times using Ann's user id and causes it to lock.
>  Mallory starts to watch Company tickets waiting for Ann to raise a password
> reset request with me.
>  Ann raises a password reset request.
> Mallory continues watching waiting for the new password to appear on Ann's
> ticket.
> Before Ann has a chance to change her new password, Mallory logs in as Ann
> and releases the blocked order.
>
>  I want to control an access to tickets from my customer's users. Can you
> suggest a way to resolve this case?
>
> 2008/11/11 Jie(Jack) Zhu <[EMAIL PROTECTED]>
>
> Sorry Anton, I do not quite understand what the point is.
>
>
>
> Suppose you have the rights to reset a password for a user. Don't you have
> the rights to do the search on this user and relatives?
>
> This is the problem you trust your agent or not.
>
>
>
> I think the access control is quite advanced in OTRS. You have Role and
> Group. You can create a role and put groups in it. Then add the role to the
> users.
>
>
>
> If you want, you can put different companies into different groups and only
> set the agent on the groups they are responsible to. This way could narrow
> down the risk?
>
> In this way, you even can set each user in each group. :)
>
>
>
> Regards,
>
> Jack
>
>
>
> ________________________________
>
> From: Anton Gubar'kov [mailto:[EMAIL PROTECTED]
> Sent: 2008年11月10日 14:41 PM
> To: User questions and discussions about OTRS.
> Subject: [otrs] company tickets access control
>
>
>
> Hello, list.
>
> I've come across a problem I can't overcome.
> Suppose I have a request to reset a password on some account for a user due
> to account locked or password forgotten. I thought I could communicate the
> new password to a user using external-email or external-note article. But it
> is really too dangerous to do that!
>
> The whole company tickets collection is searchable! I could find no way
> control access to the tickets in one CustomerID except one using queues. The
> queues are used for different purpose usually.
> The alternative is to quit using CustomerID and treat every  user as
> individual customer. This is not convenient either as some bosses at
> customers want to watch the requests of their subordinates.
>
> This is the simplest example that comes to mind. There is a lot more
> sensitive information circulating in the process of IT Service Delivery that
> should not be shared across entire customer.
>
> I would be grateful for suggestions to solve this security issue.
>
> Regards,
> Anton Gubarkov.
>
> _______________________________________________
> OTRS mailing list: otrs - Webpage: http://otrs.org/
> Archive: http://lists.otrs.org/pipermail/otrs
> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

Reply via email to