How to setup groups and roles?

Hey all,
I’m a bit puzzled on how to best setup multiple teams and their permissions. This is what I’d like to achive:

  • Zammad is used to internal tickets only (external customer tickets will follow later)
  • having 3 or more teams: e.g. Internal-IT, Customer-IT, QA,…
  • everyone should be able to open tickets for every team
  • everyone should only see the own team tickets. Plus the tickets they are customer for other teams of corse
  • Some employees are member of 2 or more groups (e.g. Customer-IT & QA) and need to maintain both queues
  • a ticket needs to be forwarded from one team to another one (e.g. Customer-IT sends to ticket to QA)
    • ideally Customer-IT should retain access to the forwarded ticket

I’ve already setup 3 groups and members are assigned automatically based on LDAP sync and group membership. Nice feature btw.
Now I’m struggling with the correct roles setup.

  • Is it recommend to create 3 roles (int-it, cust-it, qa) or am I supposed to create one role (int-agent)?
  • How to best and most flexible set permissions?
  • Can multiple teams work simultaneously on the same ticket?
  • Can one team inform another team about a ticket without forwarding it? Like adding more resources to a ticket?

Thanks for your suggestions. Appreciate your help on this.
Best Sebastian

Hello Sebastian

first of all, it must be said that a user cannot be a customer and an agent at the same time. But there is already an issue ob Github:

I would therefore suggest the following:

  • create 3 roles, as you already said correctly (Internal-IT, Customer-IT, QA)
  • each role has full permissions to its own group and create and change permissions for all other groups. Thus tickets can be created in all groups and assigned to all groups but you can only see the tickets of your “own” group.
  • In addition, you can create " Superior Roles" that have read authorization for other groups in addition to full authorization for their own group. This role is conceivable for employees who should have access to all groups.

Can multiple teams work simultaneously on the same ticket?
Yes, they can IF they have the appropriate permissions. To post notes within a ticket, you need read permission. However, it is not possible to assign ONE ticket to several groups at the same time. The way of working is always linear, which means you have to " give and take " the ticket.

Can one team inform another team about a ticket without forwarding it? Like adding more resources to a ticket?
You might consider creating an overview in which certain tickets (with certain properties, such as a selection in an individual object) can be listed. If the other team has overview permissions, these tickets can then be displayed in this overview.
Another type of notification would only be via external emails sent from the ticket.

I hope this has helped a little. If you wish, we can also arrange a telephone meeting to discuss your usecase directly to not give general advice. Feel free to write a ticket with an appointment request to

Hey KoJie,
thanks much for your detailed reply. Your advice on the permissions got me going. The “Superior Roles” are not an option as we sometimes have confidential information in tickets and cant open this information to other teams.
We would then need to ability to set permissons on custom_field or tag, which is currently not available iirc.

The idea to use overviews to share tickets between teams is great. I will look deeper into this option. On the other hand I found a Github issue that would come in handy as well.
In case one mentions the other, permissions should be granted to view the ticket, and possibly inform by mail or whatever. I really like this feature.

As a side question: Is it possible to limit the access to custom_fields? For example my IT team uses ticket custom fields that the other groups dont care about. So would be good to surpress them in other groups than IT.
Thanks again for this great product and the offer to get in touch with you/your team directly.
Best Sebastian

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.