Granular level user permissions for tickets

  • Used Zammad version: 3.3
  • Used Zammad installation source: source
  • Operating system: Linux
  • Browser + version: Chrome 83

We use zammad as an internal ticketing system within a security operations centre, so we don’t really have any external customers and we have only one team. At the moment, we use the agent (security analyst) who created the ticket in the customer field as this field is mandatory. So whenever an analyst is dealing with a security event, they would create a new ticket and put themselves down as the customer and the owner, unless someone else has to work on the event/ticket in which case the owner would be different.

The problem we have is, sometimes an analyst is required to work on a ticket exclusively with the chief information security officer (CISO), and no other analyst should be able to see this ticket (or maybe one other) due to sensitivity of the incident. I have not seen this level of granular permissions for tickets where only a selected number of users can see and work on a particular ticket.

As a workaround, I set up groups for each analyst and the CISO (e.g. Analyst A + CISO, Analyst B + CISO) and also one group with everyone in it where tickets normally gets raised for wider visibility, and also overviews to go with them.

Now if we need further visibility on a restricted ticket, then we will need other combinations of groups.

So I was wondering if there is an easier way where for each ticket you can have a selected group of agents/users that can see and work on it.

Our zammad system died a month ago unfortunately so I’m standing up a new one, and I want to take the opportunity to configure things the right way from the start. Any configuration is possible (again, we don’t have customers but can use this capability if it helps our scenario).

Ultimately we’re not using zammad as it was originally intended - as a customer helpdesk system - but rather we’re using it to capture our events as tickets internally and record things with custom fields etc., as the UI and zammad’s versatility is above any other system out there. So I don’t expect features like this to be built in but any advice to achieve our intended system with custom configurations is much appreciated!

Expected behavior:

Be able to assign permissions for individuals on a more granular ticket basis - so only selected users can view/change a ticket.

Actual behavior:

Currently this requires separate groups for each combination of users

Steps to reproduce the behavior:

Not sure what to write here tbh!

I’m afraid that the only security level Zammad offers is group based permissions.
Permissions on individual tickets are not possible and proberbly would require a lot of custom code.

Personally I think that this will stay this way a very long time, because adding ticket based permissions would stack up complexity alot which usually is something we try to avoid.

Right now your workaround is the best approach.
Sorry for the bad news.

1 Like

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.