So that if you try to create a new task it does either the "nope" or a friendly "go here"
Description
Description
Event Timeline
Comment Actions
- login as root on RT
- Tools -> Configuration -> Queues -> Select
- select queue in next screen
- on config screen, select "Group Rights"
- go through all groups on the left hand side (system, roles, user groups) and click them to see which checkboxes they have in the "General Rights" section
- remove all permissions that don't start with "View .."
- click "Rights for Staff" and "Rights for Administrators" as well and take away their rights as well, except the "View.." things
this should do the trick
Comment Actions
ok, this was unexpected. i tested this with the unused "legal" queue and removed rights, then i tried creating a new ticket in that queue and i still could, even though i shouldn't have had the "create ticket" permission anymore. i most be overlooking something that makes ops members still have this globally.
anyways, after searching some more, i think we should just do this:
"granting rt_user mysql user only SELECT
right for rt3 db for all tables except sessions. "
other people say that's what they did to make an RT readonly globally.. and it's just easier and probably safer to change the mysql grant
..unless you litereally meant it has to be possible per queue and not for all queues at once
Comment Actions
mark wants to keep the procurement and access-requests queues behind in RT for a bit, so yeah I guess per-queue if possible...if not possible we will have to get more info
Comment Actions
i got it. we were handing out the 'create ticket' permission in the global section to any privileged user.
i removed that. and i believe it shouldn't affect anyone because either users are not "privileged" (those that just mail us) or they are members in another group which gives them this permission on queues.
this made it possible to go "per queue". The "legal" queue just simply doesn't show up for me anymore in the drop-down you get with "create ticket", but i can still read the tickets that exist in there.
Comment Actions
also, as a bonus, here is how to check permissions in mysql if you don't wanna rely on finding all the checkboxes in the UI:
[rt]> SELECT Queues.Name AS queue_name,Groups.Name AS group_name,ACL.RightName AS right_name FROM ACL LEFT JOIN Groups ON ACL.PrincipalId = Groups.id JOIN Queues ON ACL.ObjectId = Queues.id WHERE Groups.Name IS NOT NULL and Queues.name="legal" ORDER BY queue_name,group_name,right_name;
Comment Actions
gets you stuff like:
+------------+------------+---------------------+
| queue_name | group_name | right_name |
+------------+------------+---------------------+
| legal | Legal | SeeCustomField |
| legal | Legal | SeeQueue |
| legal | Legal | ShowOutgoingEmail |
| legal | Legal | ShowTicket |
| legal | Legal | ShowTicketComments |
| legal | Operations | SeeCustomField |
| legal | Operations | SeeQueue |
| legal | Operations | ShowOutgoingEmail |
| legal | Operations | ShowScrips |
| legal | Operations | ShowTemplate |
| legal | Operations | ShowTicket |
| legal | Operations | ShowTicketComments |
| legal | User 23124 | CommentOnTicket |
| legal | User 23124 | CreateTicket |
| legal | User 23124 | ForwardMessage |
| legal | User 23124 | ModifyCustomField |
| legal | User 23124 | ModifyTicket |
... and so on ...