Hi Anton,
Based on your case, I
built up the following settings:
1.
Be understood the “User” in OTRS is actually Agent not Customer.
2.
Went to Sysconfig -> Frontend::Customer , enable “CustomerGroupSupport” and Delete the default
value (Users, Info) from the “CustomerGroupAlwaysGroups”.
This way the customers are not longer in the same group unless you set up another
common group for them.
3.
Created test1, test2 as 2 customers with same customer ID, created CustomerSubmit1,
CustomerSubmit2 as 2 Queues. Created TestGroup1, TestGroup2 as 2 test groups.
4.
Assigned test1 to TestGroup1 and has read and write rights,
assigned test1 to TestGroup2 and has read rights only. Assigned test2 to
TestGroup2 and has rights to read and write.
5.
Assigned test1 to queue CustomerSubmit1, assigned test2 to queue CustomerSubmit2.
6.
Now, user test2 can not read user test1’s tickets, despite they are
under the same CustomerID.
Jack
From:
Anton Gubar'kov [mailto:anton.gubarkov@gmail.com]
Sent: 2008年11月11日 11:36 AM
To: User questions and discussions
about OTRS.
Subject: Re: [otrs] company
tickets access control
Colleagues, I'm sorry for putting so much
confusion into the case.
I'm an IT service provider for company Acme. I support Acme's ERP system.
My agents are trustworthy.
Acme has users Ann and Mallory. Ann is a financial controller. Mallory is
salesman.
Mallory wants to hijack Ann's privilege to release credit blocked orders
in Acme's ERP to satisfy his customer with credit block..
Mallory tries to login 5 times using Ann's user id and causes it to lock.
Mallory starts to watch Company tickets waiting for Ann to raise a password
reset request with me.
Ann raises a password reset request.
Mallory continues watching waiting for the new password to appear on Ann's
ticket.
Before Ann has a chance to change her new password, Mallory logs in as Ann and
releases the blocked order.
I want to control an access to tickets from my customer's users. Can you
suggest a way to resolve this case?
2008/11/11
Jie(Jack) Zhu <j.zhu@impactek.com>
Sorry Anton, I
do not quite understand what the point is.
Suppose you have the rights to reset a password
for a user. Don't you have the rights to do the search on this user and
relatives?
This is the problem you trust your agent or not.
I think the access control is quite advanced in
OTRS. You have Role and Group. You can create a role and put groups in it. Then
add the role to the users.
If you want, you can put different companies into
different groups and only set the agent on the groups they are responsible to.
This way could narrow down the risk?
In this way, you even can set each user in each
group. :)
Regards,
Jack
From: Anton
Gubar'kov [mailto:anton.gubarkov@gmail.com]
Sent: 2008年11月10日 14:41 PM
To: User questions and discussions
about OTRS.
Subject: [otrs] company tickets
access control
Hello, list.
I've come across a problem I can't overcome.
Suppose I have a request to reset a password on some account for a user due to
account locked or password forgotten. I thought I could communicate the new
password to a user using external-email or external-note article. But it is
really too dangerous to do that!
The whole company tickets collection is searchable! I could find no way control
access to the tickets in one CustomerID except one using queues. The queues are
used for different purpose usually.
The alternative is to quit using CustomerID and treat every user as
individual customer. This is not convenient either as some bosses at customers
want to watch the requests of their subordinates.
This is the simplest example that comes to mind. There is a lot more sensitive
information circulating in the process of IT Service Delivery that should not
be shared across entire customer.
I would be grateful for suggestions to solve this security issue.
Regards,
Anton Gubarkov.
_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs