1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
|
$Header: /home/cvs/cvsroot/freeside/rt/docs/design_docs/acls,v 1.1 2002-08-12 06:17:07 ivan Exp $
# {{{ Requirements
Here's the rough scheme I was thinking of for RT2 acls. Thoughts? I think
it's a lot more flexible than RT 1.0, but not so crazily complex that
it will be impossible to implement. One of the "interesting" features
is the ability to grant acls based on watcher status. This now lives
in design-docs/acls
jesse
Who can rights be granted to:
users whose id is <foo>
users who are watchers of type <requestor/cc/admincc> for <queue/ticket> <id>
users who are watchers of type <requestor/cc/admincc> for <this ticket / this queue>
what scope do these rights apply to
queue <id>
system
What rights can be granted
Display Ticket
Manipulate Ticket
Only users with manipulate ticket level access will see comments
Maniplulate Ticket Status
Create Ticket
Admin Queue Watchers
Admin Ticket Watchers
Admin user accounts
Admin scrips
Admin scripscopes
Admin Queue ACLS
Admin System ACLs
# }}}
# {{{ Prinicpals These are the entities in your Access Control Element
#
Principal: What user does this right apply to
Made up of:
PrincipalScope, PrincipalType and PrincipalId
User:
Scope: User
Type: null
Id: A userid or 0
Owner:
Scope: Owner
Type: null
Id: none
Watchers:
Scope: Ticket
Type: Requestors; Cc; AdminCc
Id: A ticket id or 0 for "this ticket"
Scope: Queue
Type: Cc; AdminCc
Id: A queue id or 0 for "this queue"
# }}}
# {{{ Object: What object does this right apply to
Object is composed of an ObjectType and an ObjectId
Type: System
Id: NULL
Type: Queue
Id: Integer ref to queue id or 0 for all queues
# }}}
# {{{ Right: (What does this entry give the principal the right to do)
For the Object System:
System::SetACL
System::AdminScrips
User::Display
User::Create
User::Destroy
User::Modify
User::SetPassword
For the Object "Queue":
Queue::Admin
Queue::SetACL
Queue::Create
Queue::Display
Queue::Destroy
Queue::ModifyWatchers
Ticket::Create
Ticket::Destory
Ticket::Display
Ticket::Update
Ticket::UpdateRequestors
Ticket::UpdateCc
Ticket::UpdateAdminCc
Ticket::NotifyWatchers
DEFERRED
Ticket::SetStatus: (Values)
Open
Resolved
Stalled
<null> means any
# }}}
# {{{ Implementation:
# {{{ SQL Schema
CREATE TABLE ACL (
id int not null primary_key autoincrement,
PrinicpalId INT(11),
PrincipalType VARCHAR(16),
PrincipalScope VARCHAR(16),
ObjectType VARCHAR(16),
ObjectId INT,
Right VARCHAR(16)
);
# }}}
# {{{ perl implementation of rights searches
sub Principals {
if (defined $Ticket) {
return "($UserPrincipal) OR ($OwnerPrincipal) OR ($WatchersPrincipal)";
}
else {
return "($UserPrincipal) OR ($WatchersPrincipal)";
}
}
$Principals = " ($UserPrincipal) OR ($OwnerPrincipal) OR ($WatchersPrincipal)";
$UserPrincipal = " ( ACE.PrincipalScope = 'User') AND
( ACE.PrincipalId = $User OR ACE.PrincipalId = 0)";
$OwnerPrincipal = " ( ACE.PrinciaplScope = 'Owner') AND
( Tickets.Owner = "$User ) AND
( Tickets.Id = $Ticket)";
$WatchersPrincipal = " ( ACE.PrincipalScope = Watchers.Scope ) AND
( ACE.PrincipalType = Watchers.Type ) AND
( ACL.PrincipalId = Watchers.Value ) AND
( Watchers.Owner = $User )";
$QueueObject = "( ACE.ObjectType = 'Queue' and (ACE.ObjectId = $Queue OR ACE.ObjectId = 0)";
$SystemObject = "( ACE.ObjectType = 'System' )";
# This select statement would figure out if A user has $Right at the queue level
SELECT ACE.id from ACE, Watchers, Tickets WHERE (
$QueueObject
AND ( ACE.Right = $Right)
AND ($Principals))
# This select statement would figure outif a user has $Right for the "System"
SELECT ACE.id from ACE, Watchers, Tickets WHERE (
($SystemObject) AND ( ACE.Right = $Right ) AND ($Principals))
# }}}
# }}}
# {{{ Examples
#
# }}}
Unaddressed issues:
There needs to be a more refined method for grouping users, such that members of the customer service department
can't change sysadmins' passwords.
|
