Let agents edit their own user fields

Infos:

  • Used Zammad version: 3.3.x
  • Used Zammad installation source: deb package
  • Operating system: debian 10
  • Browser + version: various / N/A

Expected behavior:

  • Agent can edit their own User fields (as seen when editing a Customer), but not other Agent’s data.

Actual behavior:

  • Under User -> Profile there is very limited fields. No access to user field editing unless Edit Users permission is granted which lets them edit other Agents, Admin’s etc.

Steps to reproduce the behavior:

  • N/A

If I have just missed something in the interface please say - but it seems that Agents can’t edit their own user object (like then can to a Customer). This is important so they can manage their own Name, Phone Number etc.
Have I missed it? Or can I edit the config to enable this one way or another?

Thanks,
Phil

Agent’s can’t set user roles unless you provide them the “users” permission.
Agents can, at all times, edit all user fields except for password and permission settings.

This is because any use potentially can be a customer in Zammad.
This usually shouldn’t be a problem.

As you’re talking about agents being able to edit user rights, I guess they either have administrative rights or at least “user” permission.

Thanks for your reply @MrGeneration - sorry if I wasn’t very clear, and I may just be missing the way to do this.

Short version: When an Agent does Edit Customer they access a modal of User info. Can they access that modal for their own User info?

Longer:

  • An Agent can view a ticket, then Edit Customer and access a modal window where they can set various User fields (screenshot attached).
  • As an Admin I can go to Admin -> Users -> select a user and access a modal window where I can set various User fields.
  • As an Agent I expect to be able to a access this same modal to edit my own information, or otherwise edit my own User fields, however I cannot see anywhere I can access it. E.g. Admin -> Profile -> ... is an ‘obvious’ place to look but I don’t see it.

I want / expect an Agent to have rights to manage their own User info (maybe with restrictions), e.g. Mobile number.

Am I missing something?

Thanks for your help,
Phil

By default Admin -> User is a administrative setting which allows to set the following things on top of what an agent can do:

  • Password
  • Roles

Beside of that, all agents can -at any time- search for a customer (and yes, they can find themselfes) and edit all available meta information of the user - except for roles (permissions) and the password. As technically a agent can be a customer of another group he doesn’t have access to, that’s the way to go.

Zammad does not come with additional logic that checks if the agent is updating his own user and thus provides e.g. the password field on top. Personally I don’t think that this would be a too good idea, because the agent can update the password of the account within the user profile.

Otherwise an administrator couldn’t deny changing passwords to the agent.
–> yes, this can have reasons for example: Using SSO or LDAP only

@MrGeneration Thanks for the detailed reply.

I now realise you can search for people as well as tickets in the search box…

However, when I do this as an Agent, they can select an Agent (including themselves), but don’t have the ability to edit. In the Action dropdown the Edit option only appears when selecting a customer, not when selecting an Agent.
From what you say, it sounds like that should appear. Can you suggest any settings to check that could have affected that?

Many thanks,
Phil

There’s no special permission or magic beside ticket.agent (which is the requirenment) for updating users including their own user objects. However, what they can’t do during editing those users is changing their password.

I don’t know what you did, but something seems off here.

Thanks for your continued help.

Unfortunately I have to disagree - I have just done a fresh install in a Deb10 VM with no configuration/customisation. As you can see in https://www.dropbox.com/s/fkq0f1w4v1kvyfj/zammad.mov?dl=0 - an Agent (with ticket.agent) can edit a Customer, but not their own profile/data.

If I assign role admin.user, then the Agent can edit their own profile. However they can change all fields including role and password, and also so this for all users including Admins.

If you have a working example can you share your role config please?

Many thanks,
Phil

1 Like

I’m terribly sorry, you’re absolutely right!
Don’t know where I turned wrong during my last tests, however, agents without admin.user permissions can’t edit any agent or admin account.

I had a talk with devs - this is actually by design - the main reason is that you could technically change your first and lastname to one of your other agents (or worse your boss) and write something “in their name”.

This is potentially a security risk.
While I understand your need and requirenment, I’m afraid this is nothing that Zammad will allow at this moment. Personally I think chances are bad that this chances.

So technically you’re right, you’ll need to provide admin.user to trusted agents, with all the downsides.
In my opinion, beside phone numbers and maybe notes, you usually don’t have to chance things a lot. usually this is a admin task. If you have a glimpse on active directory for example, you can’t change your own name as well.

Again, I do understand your use case - I’m afraid that’s nothing we can provide at this moment.

I’m sorry for sending you down the wrong way!

Thanks for following up @MrGeneration - I’m glad to have it confirmed that I’m not just missing something!

I completely understand the decision behind this. But for the devs / future consideration I want to just highlight our use case:

  • The fantastic dynamic text in signatures allows us to pull in info from users as well as organisations for our agents. Agent specific data, for example twitter handles (custom field) and phone number are definitely fields that a user should have access to manage as otherwise it just creates management overhead.
  • Also, a user not being able to review their own information makes it hard for them to discover that information is wrong, and so request changes. In our case the user basically has to reply to a ticket, see incorrect information, and then contact an admin - not ideal.

I would propose that an Agent should be able to see their own information as read only at least. Beyond that, it would be ideal if fields (especially custom fields) could be marked as read-only or self-editable so that each org can make their own judgement as to how they manage it. That could include some sensible defaults (or enforced/unchangeable defaults) like not being able to change their own role or name.

Thanks for your time with this.
Phil

2 Likes

Hey,

thank you very much for your feedback and input in general!

Bests

1 Like