Hello, I've installed otrs and having some things to configure, I'd like to be sure I understand the queues/groups/agents/customer permission system correctly. * A queue is associated to a Group * each agent can be associated to groups with a set of permissions (ro, create, ..., rw) * when there are more and more Queues, Groups and Agents, it is easier to create roles * each role can be associated to groups with a set of permissions (ro, create, ..., rw) * just associate a user with a role, and he gets the role's permissions Is this correct ? Yes, it's totally correct!!! When you want to authorize reading to a queue or ticket creation in it, you have to give the user ro or create permission to the group the queue belongs to, isn't it ? You guess it!!! Now, I have : * a queue for our IT staff (10 agents), let's call it "ITqueue". It belongs to group "IT". * 300 customers in our ldap backend, which all belong to group "Clients" ( $Self->{CustomerGroupAlwaysGroups} = ['Clients']; ) I would like to give these customers read and create rights on the "ITqueue", but can't figure how. I think I should associate them all to a role ("Client") that would have ro & create rights on group "IT", but how would I automatically give this role to all these 300 customers ? By the way, I use otrs 2.2.4 Would anybody have an idea ? Uhm... sorry, maybe I can't understand exactly what you mean due to the fact that english is not my primary language but.. The customers should access the system through the customer interface (customer.pl): so they usually don't have need a role, since they can only "read only" and "create" by definition. They can only belongs to some group, just in case you have more than one queue and you need to hide some of those queues from customer's eyes. Simply activate $Self->{'CustomerGroupSupport'} = '1' if you need group support for customers, the put those 300 clients in "IT" group, which should be the same group to which your ITQueue Agents belongs to. Ciao, d.