Agent ACL and notification

I am running a support company for distinct kind of customers, located around the world.
The team is also worldwide.

Due to several restrictions which are out of interest here, I wonder what the best practices are to be able to have some restrictions/privileges like:

  • an agent MUST NOT view company X ticket at all, or see only the ticket from company X

  • an agent MUST be notified only during her work-hours, also excluding holidays if possible

  • an agent SHOULD be able to follow up on a ticket even if the ticket is moved to a group she’s not supposed to access.

Another real example, an agent on-call may access temporally company tickets, for the duration of the ticket management. It’s a bonus.

I’m sure I can add even more groups and triggers and all, I’m sure also at least some of those points are required by other people here…

See:
https://admin-docs.zammad.org/en/latest/manage/groups/access-levels.html

For the organization based access, this page may help - it technically also applies to organizations:
https://admin-docs.zammad.org/en/latest/manage/users/index.html#user-details-reference

That’s responsibility of your mail server that should enforce that policy on whole scope, don’t you think?
At least that’s how others do it: Keep the mail back until business hours.

If the agent is the ticket customer and has customer permission no problem.
If he’s not, why would the ticket go into a group he’s not allowed to read in but still is supposed to follow up? Sounds like a permission flaw.