Re: [rt-users] General permissions question

2010-10-25 Thread Ruslan Zakirov 
On Fri, Oct 22, 2010 at 5:34 PM, Josh Narins wrote:

>  I have three classes of users, I'm wondering if my privileges/groups
> setup is what RT intends.
>
>
>
> Class 1: Administrators. These three people can do anything.
>
>
Put them in the group.


> Class 2: People who log into RT and own and resolve tickets. Each is only
> going to be working with 1-3 queues out of 10-15 queues total.
>

Not sure how you split things into queues, but if you can organize some
groups that union people that work on particular set of groups then go for
it.

Using groups makes it easier to re-assign people or promote them. A user can
be in several groups and inherit rights from all of them.

Use roles for as much as possible. Usually granting rights via roles even on
global level helps you avoid granting them directly to groups.


> Class 3: People who create tickets via email and don't need to do anything
> but reply via email.
>
>
>
> Right now I'm thinking class 1 and class 2 should be "privileged" users,
> and by AdminCCs on the particular queues they are interested in. In
> addition, the three superusers will have, as a User Right, the "Super User"
> privilege.
>

Anyway use subgroups. If you grand to many rights on top level then some of
people got overwhelmed with ammount of access they have, but don't need.


> Class 3 won't be users which are seen via Configuration->Users. I still
> haven't figured out if they count as "Everybody" or "Unprivileged." I'd like
> them to be able to view any ticket (although I suspect they will rarely use
> such a power) so I'm giving them ShowTicket and ShowComment and a few other
> minor privileges.
>

ShowTicket is enough to see replies, but RT has comments as well. Comments
are protected by ShowComment right and often used for internal dialogs right
in a ticket between privileged users.


> Does that sound about right?
>
>
> *Josh Narins*
>
> Director of Application Development
> SeniorBridge
> 845 Third Ave
> 7th Floor
> New York, NY 10022
> Tel: (212) 994-6194
> Fax: (212) 994-4260
> Mobile: (917) 488-6248
> jnar...@seniorbridge.com
> seniorbridge.com 
>
> [image: SeniorBridge]
>
> --
> *SeniorBridge Statement of Confidentiality:* The contents of this email
> message are intended for the exclusive use of the addressee(s) and may
> contain confidential or privileged information. Any dissemination,
> distribution or copying of this email by an unintended or mistaken recipient
> is strictly prohibited. In said event, kindly reply to the sender and
> destroy all entries of this message and any attachments from your system.
> Thank you.
>



-- 
Best regards, Ruslan.

Re: [rt-users] General permissions question

2010-10-25 Thread Kenneth Crocker 
Josh,

You can do what you want.
By watching this list, I've noticed there are hundreds of installations that
do things differently. Some let the Requestors modify their own tickets,
etc.
What I put down was just a suggestion for you and it will most likely not
apply for others.

Kenn
LBNL

On Mon, Oct 25, 2010 at 5:44 AM, Josh Narins wrote:

>  Ken, thanks for your time.
>
>
>
> While the below looks really good both in the sense that it appears to be
> consistent and in the sense you've laid it all out for me, could I get
> someone else's opinion on it?
>
>
>
> Ruslan or Jesse perhaps?
>
>
>
> If it all looks good, then maybe (it could get posted|I could post it) to
> the wiki as an example?
>
>
>
> Thanks,
>
> Josh
>
>
>
>
> *Josh Narins*
>
> Director of Application Development
> SeniorBridge
> 845 Third Ave
> 7th Floor
> New York, NY 10022
> Tel: (212) 994-6194
> Fax: (212) 994-4260
> Mobile: (917) 488-6248
> jnar...@seniorbridge.com
> seniorbridge.com <http://www.seniorbridge.com/>
>
> [image: SeniorBridge]
>
> *From:* rt-users-boun...@lists.bestpractical.com [mailto:
> rt-users-boun...@lists.bestpractical.com] *On Behalf Of *Kenneth Crocker
> *Sent:* Friday, October 22, 2010 12:50 PM
> *To:* rt-users@lists.bestpractical.com
> *Subject:* Re: [rt-users] General permissions question
>
>
>
> Josh,
>
> We never grant rights to individual users, too much maintenance. I agree
> with Jesse (DUH!) to create a SuperUSer Group like "System Admins", then
> another called "Technical Support". I'd set rights as follows:
>
> Global System Rights:
>
>- Privileged:
>
>
> - CreateOwnDashboard
>   - CreateSavedSearch
>   - DeleteOwnDashboard
>   - EditSavedSearch
>   - ForwardMessage
>   - LoadSavedSearch
>   - ModifyOwnDashboard
>   - ModifySelf
>   - SeeOwnDashboard
>   - * SeeQueue (*you might want this only at a "Queue" level*)
>   - ShowSavedSearch
>   - * ShowTicket (*you might want this only for "Roles" and the
>   "support" group*)
>   - SubscribeDashboard
>   - Watch
>
> This set will allow all users rights to their own Searches, Searches saved
> for groups they are in & Dashboards set up subscriptions for any Dashboard
> they have access to & modify themselves & add watchers to tickets they are
> watchers on (basically, add Cc's)
>
>- Everyone:
>
>
> - ReplyToTicket
>   - CreateTicket
>
> This allows anyone to create a ticket and reply to email if sent to them
> from RT. If you have some form of externalAuth going on, that will keep the
> spam out.
>
>- Roles:
>
>
> - Owner;
>
>
> - ModifyTicket (a no brainer)
>  - * SeeQueue & ShowTicket Comments, etc if not by group
>
>
> - AdminCc (*we use AdminCc like a "Queue Manager*);
>
>
> - AdminUsers (*Sys Admin only?*)
>  - AdminCustomFields (*Sys Admin only?*)
>  - AssignCustomFields (*we don't want just anyone messing with
>  these*)
>  - ModifyACL (*you may want to keep this at the "Queue" level or
>  not at all and just let "SuperUsers" do it*)
>  - ModifyOwnMembership
>  - ModifyQueueWatchers (*you may want to keep this at the "Queue"
>  level or not at all and just let "SuperUsers" do it*)
>  - ModifyScrips (*you may want to keep this at the "Queue" level
>  or not at all and just let "SuperUsers" do it*)
>  - ModifyTemplate (*you may want to keep this at the "Queue" level
>  or not at all and just let "SuperUsers" do it*)
>  - ShowACL (*you may want to keep this at the "Queue" level or not
>  at all and just for "SuperUsers"*)
>  - SeeCustomFields (*ditto*)
>  - SeeGroup
>  - * SeeQueue & ShowTicket Comments, etc if not by group (*
>  SuperUser*)
>  - ShowConfigTab (*Sys Admin only?*)
>  - ShowScrips (*Sys Admin only?*)
>  - ShowTemplate (*Sys Admin only?*)
>  - StealTicket (*you may want to keep this at the "Queue" level or
>  let Support group do it*)
>  - WatchAsAdminCc
>  - *You might want to put some of these rights at the Queue level*
>
>
> - Cc;
>
>
> - SeeQueue (*if not given to "Privileged"*)
>  - ShowTicket (*if not given to "Privileged"*)
>
>
> - Requestor
>
>
> - S

Re: [rt-users] General permissions question

2010-10-25 Thread Josh Narins 
Ken, thanks for your time.

While the below looks really good both in the sense that it appears to be 
consistent and in the sense you've laid it all out for me, could I get someone 
else's opinion on it?

Ruslan or Jesse perhaps?

If it all looks good, then maybe (it could get posted|I could post it) to the 
wiki as an example?

Thanks,
Josh



Josh Narins

Director of Application Development
SeniorBridge
845 Third Ave
7th Floor
New York, NY 10022
Tel: (212) 994-6194
Fax: (212) 994-4260
Mobile: (917) 488-6248
jnar...@seniorbridge.com
seniorbridge.com<http://www.seniorbridge.com/>

[http://www.seniorbridge.com/images/seniorbridgedisclaimerTAG.gif]
From: rt-users-boun...@lists.bestpractical.com 
[mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Kenneth Crocker
Sent: Friday, October 22, 2010 12:50 PM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] General permissions question

Josh,

We never grant rights to individual users, too much maintenance. I agree with 
Jesse (DUH!) to create a SuperUSer Group like "System Admins", then another 
called "Technical Support". I'd set rights as follows:

Global System Rights:

 *   Privileged:

*   CreateOwnDashboard
*   CreateSavedSearch
*   DeleteOwnDashboard
*   EditSavedSearch
*   ForwardMessage
*   LoadSavedSearch
*   ModifyOwnDashboard
*   ModifySelf
*   SeeOwnDashboard
*   * SeeQueue (you might want this only at a "Queue" level)
*   ShowSavedSearch
*   * ShowTicket (you might want this only for "Roles" and the "support" 
group)
*   SubscribeDashboard
*   Watch
This set will allow all users rights to their own Searches, Searches saved for 
groups they are in & Dashboards set up subscriptions for any Dashboard they 
have access to & modify themselves & add watchers to tickets they are watchers 
on (basically, add Cc's)

 *   Everyone:

*   ReplyToTicket
*   CreateTicket
This allows anyone to create a ticket and reply to email if sent to them from 
RT. If you have some form of externalAuth going on, that will keep the spam out.

 *   Roles:

*   Owner;

   *   ModifyTicket (a no brainer)
   *   * SeeQueue & ShowTicket Comments, etc if not by group

*   AdminCc (we use AdminCc like a "Queue Manager);

   *   AdminUsers (Sys Admin only?)
   *   AdminCustomFields (Sys Admin only?)
   *   AssignCustomFields (we don't want just anyone messing with these)
   *   ModifyACL (you may want to keep this at the "Queue" level or not at 
all and just let "SuperUsers" do it)
   *   ModifyOwnMembership
   *   ModifyQueueWatchers (you may want to keep this at the "Queue" level 
or not at all and just let "SuperUsers" do it)
   *   ModifyScrips (you may want to keep this at the "Queue" level or not 
at all and just let "SuperUsers" do it)
   *   ModifyTemplate (you may want to keep this at the "Queue" level or 
not at all and just let "SuperUsers" do it)
   *   ShowACL (you may want to keep this at the "Queue" level or not at 
all and just for "SuperUsers")
   *   SeeCustomFields (ditto)
   *   SeeGroup
   *   * SeeQueue & ShowTicket Comments, etc if not by group (SuperUser)
   *   ShowConfigTab (Sys Admin only?)
   *   ShowScrips (Sys Admin only?)
   *   ShowTemplate (Sys Admin only?)
   *   StealTicket (you may want to keep this at the "Queue" level or let 
Support group do it)
   *   WatchAsAdminCc
   *   You might want to put some of these rights at the Queue level

*   Cc;

   *   SeeQueue (if not given to "Privileged")
   *   ShowTicket (if not given to "Privileged")

*   Requestor

   *   SeeQueue (if not given to "Privileged" or Support Group)
   *   ShowTicket (if not given to "Privileged" or Support Group)
Since your "Users" that create tickets will only use email, 
these two rights above would allow them to see ONLY their tickets if they were 
to ever sign into the WebUI.

 *   User-Defined Groups:

*   SystemAdmin;

   *   SuperUser

*   Technical-Support (you may want to keep some of these rights for this 
group at the "Queue" level)

   *   CommentOnTicket
   *   DeleteTicket
   *   ModifyCustomField (may want this at the "Queue" level)
   *   ModifyTicket (ONLY if you want members of the group to be able to 
modify someone else's ticket - Owners already have this right)
   *   OwnTicket
   *   SeeCustomField
   *   ShowOutgoingEmail
   *   ShowTicket
   *   ShowTicketComments
   *   StealTicket (you may want to keep this at the "Queue" level)
   *   TakeTicket

Well, anyway, I'm sure you can get

Re: [rt-users] General permissions question

2010-10-22 Thread Kenneth Crocker 
Josh,

We never grant rights to individual users, too much maintenance. I agree
with Jesse (DUH!) to create a SuperUSer Group like "System Admins", then
another called "Technical Support". I'd set rights as follows:

Global System Rights:


   - Privileged:
   - CreateOwnDashboard
  - CreateSavedSearch
  - DeleteOwnDashboard
  - EditSavedSearch
  - ForwardMessage
  - LoadSavedSearch
  - ModifyOwnDashboard
  - ModifySelf
  - SeeOwnDashboard
  - * SeeQueue (*you might want this only at a "Queue" level*)
  - ShowSavedSearch
  - * ShowTicket (*you might want this only for "Roles" and the
  "support" group*)
  - SubscribeDashboard
  - Watch

This set will allow all users rights to their own Searches, Searches saved
for groups they are in & Dashboards set up subscriptions for any Dashboard
they have access to & modify themselves & add watchers to tickets they are
watchers on (basically, add Cc's)

   - Everyone:
  - ReplyToTicket
  - CreateTicket

This allows anyone to create a ticket and reply to email if sent to them
from RT. If you have some form of externalAuth going on, that will keep the
spam out.


   - Roles:
  - Owner;
 - ModifyTicket (a no brainer)
 - * SeeQueue & ShowTicket Comments, etc if not by group
 - AdminCc (*we use AdminCc like a "Queue Manager*);
  - AdminUsers (*Sys Admin only?*)
 - AdminCustomFields (*Sys Admin only?*)
 - AssignCustomFields (*we don't want just anyone messing with these
 *)
 - ModifyACL (*you may want to keep this at the "Queue" level or not
 at all and just let "SuperUsers" do it*)
 - ModifyOwnMembership
 - ModifyQueueWatchers (*you may want to keep this at the "Queue"
 level or not at all and just let "SuperUsers" do it*)
 - ModifyScrips (*you may want to keep this at the "Queue" level or
 not at all and just let "SuperUsers" do it*)
 - ModifyTemplate (*you may want to keep this at the "Queue" level
 or not at all and just let "SuperUsers" do it*)
 - ShowACL (*you may want to keep this at the "Queue" level or not
 at all and just for "SuperUsers"*)
 - SeeCustomFields (*ditto*)
 - SeeGroup
 - * SeeQueue & ShowTicket Comments, etc if not by group (*SuperUser
 *)
 - ShowConfigTab (*Sys Admin only?*)
 - ShowScrips (*Sys Admin only?*)
 - ShowTemplate (*Sys Admin only?*)
 - StealTicket (*you may want to keep this at the "Queue" level or
 let Support group do it*)
 - WatchAsAdminCc
 - *You might want to put some of these rights at the Queue level*
 - Cc;
 - SeeQueue (*if not given to "Privileged"*)
 - ShowTicket (*if not given to "Privileged"*)
  - Requestor
 - SeeQueue (*if not given to "Privileged" or Support Group*)
 - ShowTicket (*if not given to "Privileged" or Support Group*)

Since your "Users" that create tickets will only use
email, these two rights above would allow them to see ONLY their tickets if
they were to ever sign into the WebUI.


   - User-Defined Groups:
  - SystemAdmin;
 - SuperUser
  - Technical-Support (you may want to keep some of these rights for
  this group at the "Queue" level)
  - CommentOnTicket
 - DeleteTicket
 - ModifyCustomField (may want this at the "Queue" level)
 - ModifyTicket (*ONLY if you want members of the group to be able
 to modify someone else's ticket* - Owners already have this right)
 - OwnTicket
 - SeeCustomField
 - ShowOutgoingEmail
 - ShowTicket
 - ShowTicketComments
 - StealTicket (*you may want to keep this at the "Queue" level*)
 - TakeTicket


Well, anyway, I'm sure you can get the gist of this. Hope this helps.

Kenn
LBNL

On Fri, Oct 22, 2010 at 6:34 AM, Josh Narins wrote:

>  I have three classes of users, I'm wondering if my privileges/groups
> setup is what RT intends.
>
>
>
> Class 1: Administrators. These three people can do anything.
>
> Class 2: People who log into RT and own and resolve tickets. Each is only
> going to be working with 1-3 queues out of 10-15 queues total.
>
> Class 3: People who create tickets via email and don't need to do anything
> but reply via email.
>
>
>
> Right now I'm thinking class 1 and class 2 should be "privileged" users,
> and by AdminCCs on the particular queues they are interested in. In
> addition, the three superusers will have, as a User Right, the "Super User"
> privilege.
>
>
>
> Class 3 won't be users which are seen via Configuration->Users. I still
> haven't figured out if they count as "Everybody" or "Unprivileged." I'd like
> them to be able to view any ticket (although I suspect they will rarely use
> such a power) so I'm giving them ShowTicket and ShowComment and a few other
> minor privileges.
>
>
>
> Does t

Re: [rt-users] General permissions question

2010-10-22 Thread Jesse Vincent 



On Fri, Oct 22, 2010 at 11:03:07AM -0400, Jesse Vincent wrote:
> 
> 
> 
> On Fri 22.Oct'10 at  9:34:40 -0400, Josh Narins wrote:
> 
> > Class 3 won't be users which are seen via Configuration->Users. I still 
> > haven't
> > figured out if they count as "Everybody" or "Unprivileged." I'd like them 
> > to be
> > able to view any ticket (although I suspect they will rarely use such a 
> > power)
> > so I'm giving them ShowTicket and ShowComment and a few other minor 
> > privileges.
> > 
> They count as both everybody and unprivileged.  I'd strongly recommend
> giving your unprivileged users the right to showticket and showcomment
> on all tickets unless this will ALWAYS be a private-internal RT.
> 

Er. That's what I get for replying to email before coffee. I 
strongly recommend AGAINST giving your unprivileged users 
showticket/showcomment.

-Jesse

Re: [rt-users] General permissions question

2010-10-22 Thread Jesse Vincent 



On Fri 22.Oct'10 at  9:34:40 -0400, Josh Narins wrote:
> I have three classes of users, I'm wondering if my privileges/groups setup is
> what RT intends.
> 
> Class 1: Administrators. These three people can do anything.
> 
> Class 2: People who log into RT and own and resolve tickets. Each is only 
> going
> to be working with 1-3 queues out of 10-15 queues total.
> 
> Class 3: People who create tickets via email and don't need to do anything but
> reply via email.
>  
> 
> Right now I'm thinking class 1 and class 2 should be "privileged" users, and 
> by
> AdminCCs on the particular queues they are interested in. In addition, the
> three superusers will have, as a User Right, the "Super User" privilege.

That sounds right, though I might put your superusers in a "SuperUser"
group.

> Class 3 won't be users which are seen via Configuration->Users. I still 
> haven't
> figured out if they count as "Everybody" or "Unprivileged." I'd like them to 
> be
> able to view any ticket (although I suspect they will rarely use such a power)
> so I'm giving them ShowTicket and ShowComment and a few other minor 
> privileges.
> 
They count as both everybody and unprivileged.  I'd strongly recommend
giving your unprivileged users the right to showticket and showcomment
on all tickets unless this will ALWAYS be a private-internal RT.


> Does that sound about right?
> 
> 
> 
> Josh Narins
> 
> Director of Application Development
> SeniorBridge
> 845 Third Ave
> 7th Floor
> New York, NY 10022
> Tel: (212) 994-6194
> Fax: (212) 994-4260
> Mobile: (917) 488-6248
> jnar...@seniorbridge.com
> seniorbridge.com
> 
> SeniorBridge
> 
> ━━━
> SeniorBridge Statement of Confidentiality: The contents of this email message
> are intended for the exclusive use of the addressee(s) and may contain
> confidential or privileged information. Any dissemination, distribution or
> copying of this email by an unintended or mistaken recipient is strictly
> prohibited. In said event, kindly reply to the sender and destroy all entries
> of this message and any attachments from your system. Thank you.

[rt-users] General permissions question

2010-10-22 Thread Josh Narins 
I have three classes of users, I'm wondering if my privileges/groups setup is 
what RT intends.

Class 1: Administrators. These three people can do anything.
Class 2: People who log into RT and own and resolve tickets. Each is only going 
to be working with 1-3 queues out of 10-15 queues total.
Class 3: People who create tickets via email and don't need to do anything but 
reply via email.

Right now I'm thinking class 1 and class 2 should be "privileged" users, and by 
AdminCCs on the particular queues they are interested in. In addition, the 
three superusers will have, as a User Right, the "Super User" privilege.

Class 3 won't be users which are seen via Configuration->Users. I still haven't 
figured out if they count as "Everybody" or "Unprivileged." I'd like them to be 
able to view any ticket (although I suspect they will rarely use such a power) 
so I'm giving them ShowTicket and ShowComment and a few other minor privileges.

Does that sound about right?


Josh Narins

Director of Application Development
SeniorBridge
845 Third Ave
7th Floor
New York, NY 10022
Tel: (212) 994-6194
Fax: (212) 994-4260
Mobile: (917) 488-6248
jnar...@seniorbridge.com
seniorbridge.com

[http://www.seniorbridge.com/images/seniorbridgedisclaimerTAG.gif]


SeniorBridge Statement of Confidentiality: The contents of this email message 
are intended for the exclusive use of the addressee(s) and may contain 
confidential or privileged information. Any dissemination, distribution or 
copying of this email by an unintended or mistaken recipient is strictly 
prohibited. In said event, kindly reply to the sender and destroy all entries 
of this message and any attachments from your system. Thank you.