LDAP Users not receiving role permissions when added

Technical assistance
1

Infos:

Important:
If you are a Zammad Support or hosted customer and experience a technical issue, please refer to: support@zammad.com using your zammad-hostname / or company contract.

  • Used Zammad version: 2.6
  • Used Zammad installation source: (source, package, …) RPM
  • Operating system: RHEL 7.5
  • Browser + version: Firefox 63

Expected behavior:

  • When users are synced via LDAP where there is a role mapping configured to assign them to the correct department, I would expect that those users are automatically assigned permissions as set in the role itself.

Actual behavior:

  • I’ve just added a new department to our Zammad and have added 16 agents via LDAP sync. Each of the added users appear in the correct role as per the mapping but have no permissions assigned. I am having to manually touch each user record to add them in before they can access the correct ticket stream. I would have though that the point of asking for role based permissions at the role level was so that users subsequently placed in that role would inherit those permissions. Otherwise what’s the point of it being there?

Am I missing a setting somewhere or does this just not work correctly?

Steps to reproduce the behavior:

  • Run LDAP Sync
2

My shot in the blue is that the user rights on the role is not correct. Because if the role assignment based on your role, then the LDAP synch is just running fine.

3

So in the roles section for each role I have set up permissions. Below is an example of the role permissions for IT Agent:

2018-09-20%2009_46_27-LCoM%20-%20Helpdesk%20-%20Roles%20-%20Opera

Here is how the LDAP Groups are assigned to roles:

2018-09-20%2009_47_35-LCoM%20-%20Helpdesk%20-%20LDAP%20-%20Opera
2018-09-20 09_47_35-LCoM - Helpdesk - LDAP - Opera.png746×446 32.4 KB

I would expect that if an LDAP user is in the security group for say IT Agents and Zammad matches it as so then the rights assigned to that role would propagate to the user that is added.

Hopefully I’m being clear.

Sully

4

Do I understand you correct that your agent is member of the group “zammad_it” that’s assigned to the Zammad-Role “IT Agent”?

Zammad does in your case not apply the role to the agent?

5

Yes you understand correctly. It applies the role as an agent okay by the looks of it, just not the permissions that are assigned to the role.

6

If Zammad applies the role correctly and it has correct rights, there shouldn’t be any trouble.
This might be temporary caching problem or invalid role configuration.

Highlighted option needs to be set in order the group rights are effective within a role.
image

7

Just to confirm, the agent role is ticked in the permissions list for the group.

8

When using role based group permissions (like let’s say read for group “2nd level”) you also need to tick “agent - Access to Agent tickets based on Group Access” on that role in order to make the group rights work. Otherwise it is ticket, but not working (by design)

9

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.