Sorry Anton, I do not quite understand what the point is.

 

Suppose you have the rights to reset a password for a user. Don’t you have the rights to do the search on this user and relatives?

This is the problem you trust your agent or not.

 

I think the access control is quite advanced in OTRS. You have Role and Group. You can create a role and put groups in it. Then add the role to the users.

 

If you want, you can put different companies into different groups and only set the agent on the groups they are responsible to. This way could narrow down the risk?

In this way, you even can set each user in each group. :)

 

Regards,

Jack

 

 

Hello, list.

I've come across a problem I can't overcome.
Suppose I have a request to reset a password on some account for a user due to account locked or password forgotten. I thought I could communicate the new password to a user using external-email or external-note article. But it is really too dangerous to do that!

The whole company tickets collection is searchable! I could find no way control access to the tickets in one CustomerID except one using queues. The queues are used for different purpose usually.
The alternative is to quit using CustomerID and treat every  user as individual customer. This is not convenient either as some bosses at customers want to watch the requests of their subordinates.

This is the simplest example that comes to mind. There is a lot more sensitive information circulating in the process of IT Service Delivery that should not be shared across entire customer.

I would be grateful for suggestions to solve this security issue.

Regards,
Anton Gubarkov.