Active Directory, assign users to zammad groups

Infos:

  • Used Zammad version: 2.9
  • Used Zammad installation source: (source, package, …) Ubuntu Package
  • Operating system: Ubuntu 18.04
  • Browser + version: any

I have successfully imported my users from Active Directory and found the appropriate setting to assign the Agent’s Role only to AD-users from a sepcific AD-group.

However, I need help to assign my agents to specific groups in zammad. So this is what I need:
Users in AD-group “Departement 1” should be synced to “Departement 1” group in zammad;
Users in AD-group “Departement 2” should be synced to “Departement 2” group in zammad;
And while Agents from Departement 1 & 2 have only access to their own groups in zammad, Users in AD-group “admin” should have read/write access in all zammad groups.

Hey @LittleNo,

what did you try so far and what exactly is your problem?
Everything you want to do should be possible.

https://admin-docs.zammad.org/en/latest/manage-groups.html
https://admin-docs.zammad.org/en/latest/manage-roles.html
https://admin-docs.zammad.org/en/latest/manage-overviews.html
https://admin-docs.zammad.org/en/latest/integrations/ldap.html

cheers

I’m aware of those docs.

So this is what I did: I successfully setup LDAP to pull my agents from Active Directory. However, they are granted read/write access to the default group “users” and I have to manually grant access to their desired group. Since all users are already in a matching group in Active Diretory, I wanted to automate that process.

Another point I didn’t understand yet: where can I assign a ticket to a specific group? is it possible to transfer tickets between groups? Same question for overviews: can I create overviews that are only available to a specific group or user?

You’re mixing up groups/roles a little.

You need to create roles. Inside those roles you define access rights to groups.
In the ldap config you map directory groups to roles exactly one time - with every ldap sync the users gets automatically assigned to the configured roles based on their directory group.

You don’t add users to groups in zammad. You just give them a role which has rights to certain groups.

I’m sorry, i don’t mean to be harsh but all that is wirtten in those docs - that’s why i linked them.

ok got it.

I now assigned the AD-group to my role and re-synced with the AD. The users in zammad appear successfully in the designated role. However it did not copy the access permission to the group that was set for that role:

You can’t see the access rights on the user site.
As long as the user has the tick on said role it’s perfectly fine.

ok, I just verified that with a test-user

However, these two are not answered by the docs:

  • is it possible to move a ticket between groups?
  • for users with write-permissions in more than one group, the group has to be selected for each created ticket (if not done thru the incoming channel) Is it possible to pre-select a default group?

Umm… yes it is, as long as your agent is allowed to do so.
I wasn’t aware that an explicit note of that is needed, a Pull Request for the place you think fits best is highly welcome!

Yes and no.
The only option (apart from Triggering that stuff which makes not so much sense) is to use Ticket Templates ( http://user-docs.zammad.org/en/latest/advanced/ticket-templates.html ). Those templates are only available within ticket creation and can hold more than just a pre selected group.

I’m not sure what would be the best place, I just can tell where I looked for it: in the Ticket-instructions and in the Group-description

Template’s are a nice feature, however in this case it safes the agent only one click. Manually selecting a group and owner means 4 clicks, selecting a template with pre-set group and user is 3 clicks. In my scenario I have agents with admin privileges on other groups besides their own, however in normal workflow they create tickets only within their own group. So a lot of unnecessary clicks for them. Currently I solved that issue by giving them an additional accout for their admin-tasks, but to me thats not an elegant way.

Ah I see, that’s where you crashed.
Maybe the following link helps you to understand the right system within Zammad:
https://admin-docs.zammad.org/en/latest/manage-roles.html#agent

This documentation part surely isn’t perfect at the moment, as this overlaps with “Users”. I’m planning to optimize that part in the future. I could think of adding a note regarding the role system to “Groups” as well, do you think this would have helped?

I’m afraid, there’s no way of doing that natively in the UI at the moment - sorry about that.