1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
|
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<section id="acl" >
<title>Access Control Lists (ACLs)</title>
<section>
<title>Introduction</title>
<para>
From OTRS 2.0 on, Access Control Lists (ACLs) can be used to control access
to tickets, modules, queues, etc., or to influence actions on tickets
(closing, moving, etc.) in certain situations. ACLs can be used to
supplement the existing permission system of <link
linkend="adminarea-roles">roles</link> and <link
linkend="adminarea-groups">groups</link>. Using ACLs, rudimental workflows
within the system can be mapped, based on ticket attributes.
</para>
<para>
As yet, ACLs cannot be created using the <link
linkend="adminarea-sysconfig">SysConfig interface</link>. They must be
directly entered into the <filename>Kernel/Config.pm</filename> file. This
chapter has some ACL examples which will walk you trough the process of
defining ACL definitions, and a reference of all possible important ACL
settings.
</para>
</section>
<section>
<title>Examples</title>
<para>
<example id="acl-move">
<title>ACL, die das Verschieben von Tickets in eine Queue nur bei einer
Ticket-Priorität von 5 erlaubt.</title>
<para>
This example shows you the basic structure of an ACL. First, it needs to
have a name. In this case, it is "ACL-Name-2". Note that the ACLs will be
numerically sorted before execution, so you should use the names carefully.
</para>
<para>
Secondly, you have a "Properties" section which is a filter for your
tickets. All the criteria defined here will be applied to a ticket to
determine if the ACL must be applied or not. In our example, a ticket will
match if it is in the queue "Raw" and has priority "5 very high". This is
also affected by changes in the form (e.g. if the ticket is the queue "raw"
and had a priority "3 normal", but then priority drop-down is selected and
the priority is changed now to "5 very high" will also match).
</para>
<para>
Lastly, a section "Possible" defines modifications to the screens. In this
case, from the available queues, only the queue "Alert" can be selected in a
ticket screen.
</para>
<programlisting>
# ticket acl
$Self->{TicketAcl}->{'100-Example-ACL'} = {
# match properties
Properties => {
# current ticket match properties
Ticket => {
Queue => ['Raw'],
Priority => ['5 very high'],
}
},
# return possible options (white list)
Possible => {
# possible ticket options (white list)
Ticket => {
Queue => ['Alert'],
},
},
};
</programlisting></example>
</para>
<para>
<example id="acl-move2">
<title>
ACL allowing movement into a queue of only those tickets with ticket
priority 5 stored in the database.
</title>
<para>
This example is very similar to the last one, but in this case only tickets
in the queue "Raw" and with a priority "5 very high", both stored in the
database will match. This kind of ACLs does not consider changes in the form
before the ticket is really updated in the database.
</para>
<programlisting>
# ticket acl
$Self->{TicketAcl}->{'100-Example-ACL'} = {
# match properties
PropertiesDatabase => {
# current ticket match properties
Ticket => {
Queue => ['Raw'],
Priority => ['5 very high'],
}
},
# return possible options (white list)
Possible => {
# possible ticket options (white list)
Ticket => {
Queue => ['Alert'],
},
},
};
</programlisting></example>
</para>
<para>
<example id="acl-close" >
<title>ACL, die das Schließen von Tickets in der raw-Queue verbietet und den
Schließen-Schalter ausblendet.</title>
<para>
Here you can see how a ticket field (state) can be filtered with more than
one possible value to select from. It is also possible to limit the actions
that can be executed for a certain ticket. In this case, the ticket cannot
be closed.
</para>
<programlisting>
$Self->{TicketAcl}->{'101-Second-Example-ACL'} = {
# match properties
Properties => {
# current ticket match properties
Ticket => {
Queue => ['Raw'],
}
},
# return possible options (white list)
Possible => {
# possible ticket options (white list)
Ticket => {
State => ['new', 'open', 'pending reminder'],
},
# possible action options
Action => {
AgentTicketBounce => 1,
AgentTicketClose => 0,
AgentTicketCompose => 1,
AgentTicketCustomer => 1,
AgentTicketForward => 1,
AgentTicketFreeText => 1,
AgentTicketHistory => 1,
AgentTicketLink => 1,
AgentTicketLock => 1,
AgentTicketMerge => 1,
AgentTicketMove => 1,
AgentTicketNote => 1,
AgentTicketOwner => 1,
AgentTicketPending => 1,
AgentTicketPhone => 1, # only used to hide the Split action
AgentTicketPhoneInbound => 1,
AgentTicketPhoneOutbound => 1,
AgentTicketPrint => 1,
AgentTicketPriority => 1,
AgentTicketResponsible => 1,
AgentTicketWatcher => 1,
AgentTicketZoom => 1,
AgentLinkObject => 1, # only used to hide the Link action
},
},
};
</programlisting></example>
</para>
<para>
<example id="acl-state" >
<title>ACL removing always state closed successful.</title>
<para>
This example shows how it is possible to define negative filters (the state
"closed successful" will be removed). You can also see that not defining
match properties for a ticket will match any ticket, i. e. the ACL will
always be applied. This may be useful if you want to hide certain values by
default, and only enable them in special circumstances (e. g. if the agent
is in a specific group).
</para>
<programlisting>
$Self->{TicketAcl}->{'102-Third-ACL-Example'} = {
# match properties
Properties => {
# current ticket match properties (match always)
},
# return possible options
PossibleNot => {
# possible ticket options
Ticket => {
State => ['closed successful'],
},
},
};
</programlisting></example>
</para>
<para>
<example id="acl-new-ticket-service" >
<title>ACL only showing Hardware services for tickets that are created in queues
that start with "HW".</title>
<para>
This example also shows you how you can use regular expressions for matching
tickets and for filtering the available options.
</para>
<programlisting>
$Self->{TicketAcl}->{'Only-Hardware-Services-for-HW-Queues'} = {
# match properties
# note we don't have "Ticket => {" because there's no ticket yet
Properties => {
Queue => {
Name => ['[RegExp]HW'],
}
},
# return possible options
Possible => {
# possible ticket options
Ticket => {
Service => ['[RegExp]^(Hardware)'],
},
},
};
</programlisting></example>
</para>
</section>
<section id="acl-reference">
<title>Reference</title>
<para>
In the example below there is a list of all parameters which can be used for
ACLs.
</para>
<para>
Please see the <link linkend="process-management-acl">section on ACLs</link>
in the <link linkend="process-management">ProcessManagement</link>
documentation for a detailed descripton of how to use ACLs for process
tickets.
</para>
<para>
<example>
<title>Reference showing all possible important ACL settings.</title>
<programlisting>
# ticket acl
$Self->{TicketAcl}->{'200-ACL-Reference'} = {
# match properties (current values from the form)
Properties => {
# the used frontend module
Frontend => {
Action => ['AgentTicketPhone', 'AgentTicketEmail'],
},
# the logged in agent
User => {
UserLogin => ['some login'],
Group_rw => [
'hotline',
],
Role => [
'admin',
],
# ...
},
# the logged in customer
CustomerUser => {
UserLogin => ['some login'],
Group_rw => [
'hotline',
],
Role => [
'admin',
],
# ...
},
# process properties
Process => {
ProcessEntityID => ['P1'], # the Process that the current ticket is part of
ActivityEntityID => ['A1'], # the current Activity of the ticket
ActivityDialogEntityID => ['AD1'], # the current ActivityDialog that the Agent/Customer is using
},
# ticket properties
Queue => {
Name => ['Raw'],
QueueID => ['some id'],
GroupID => ['some id'],
Email => ['some email'],
RealName => ['OTRS System'],
# ...
},
Service => {
ServiceID => ['some id'],
Name => ['some name'],
ParentID => ['some id'],
# ...
},
Type => {
ID => ['some id'],
Name => ['some name'],
# ...
},
Priority = {
ID => ['some id'],
Name => ['some name'],
# ...
},
SLA = {
SLAID => ['some id'],
Name => ['some name'],
Calendar => ['some calendar'],
# ...
},
State = {
ID => ['some id'],
Name => ['some name'],
TypeName => ['some state type name'],,
TypeID => ['some state type id'],
# ...
},
Owner => {
UserLogin => ['some login'],
Group_rw => [
'some group',
],
Role => [
'admin',
],
# ...
},
Responsible => {
UserLogin => ['some login'],
Group_rw => [
'some group',
],
Role => [
'admin',
],
# ...
},
DynamicField => {
# Names must be in DynamicField_<field_name> format.
# Values in [ ... ] must always be the untranslated internal data keys
# specified in the dynamic field definition and
# not the data values shown to the user.
DynamicField_Field1 => ['some value'],
DynamicField_OtherField => ['some value'],
DynamicField_TicketFreeText2 => ['some value'],
# ...
},
# alternatively, ticket properties can be specified in the ticket hash
Ticket => {
Queue => ['Raw'],
State => ['new', 'open'],
Priority => ['some priority'],
Lock => ['lock'],
CustomerID => ['some id'],
CustomerUserID => ['some id'],
Owner => ['some owner'],
DynamicField_Field1 => ['some value'],
DynamicField_MyField => ['some value'],
# ...
},
},
# match properties (existing values from the database)
PropertiesDatabase => {
# See section "Properties", the same config can be used here.
# ...
}
# return possible options (white list)
Possible => {
# possible ticket options (white list)
Ticket => {
Queue => ['Hotline', 'Coordination'],
State => ['some state'],
Priority => ['5 very high'],
DynamicField_Field1 => ['some value'],
DynamicField_MyField => ['some value'],
# ...
NewOwner => ['some owner'],
OldOwner => ['some owner'],
# ...
},
# Limit the number of possible ActivityDialogs the Agent/Customer
# can use in a process ticket.
ActivityDialog => ['AD1', 'AD3'],
# Limit the number of possible Processes that can be started
Process => ['P1', 'P2'],
# possible action options (white list)
Action => {
AgentTicketBounce => 1,
AgentTicketClose => 1,
AgentTicketCompose => 0,
AgentTicketCustomer => 0,
AgentTicketForward => 0,
AgentTicketFreeText => 1,
AgentTicketHistory => 1,
AgentTicketLink => 0,
AgentTicketLock => 1,
AgentTicketMerge => 0,
AgentTicketMove => 1,
AgentTicketNote => 1,
AgentTicketOwner => 1,
AgentTicketPending => 1,
AgentTicketPhone => 1, # only used to hide the Split action
AgentTicketPhoneInbound => 0,
AgentTicketPhoneOutbound => 1,
AgentTicketPrint => 1,
AgentTicketPriority => 0,
AgentTicketResponsible => 1,
AgentTicketWatcher => 1,
AgentTicketZoom => 1,
AgentLinkObject => 1, # only used to hide the Link action
},
},
# remove options (black list)
PossibleNot => {
# See section "Possible"
# ...
},
};
</programlisting></example>
</para>
<note>
<para>
While matching ACLs if CustomerUserID parameter sent, the ACL mechanism will
compare the defined ACLs using the supplied CustomerUserID to gather the
CustomerUser details to fill the CustomerUser hash and it also overrides the
Customer information in the Ticket hash for the Properties match. On the
other hand this calculations are also made for the PropertiesDatabase part,
but using the Ticket Customer as the basis to gather the data.
</para>
<para>
Notice that in Customer Interface, the CustomerUserID is always sent with
the current logged Customer User.
</para>
<para>
Be aware that in ticket search screens (AgentTicketSearch and
CustomerTicketSearch) the only affected attributes by ACLs are the Dynamic
Fields. This means that this screens you can not restrict any other
attribute like ticket type, state, queue, etc.
</para>
</note>
</section>
</section>
|
