Problems with "without full" permissions


  • Used Zammad version: 5.0.3
  • Used Zammad installation type: package
  • Operating system: Ubuntu
  • Browser + version: Firefox 96

Actual behavior:

  • According to the documentation, the meaning of full authorization is defined as follows.

Steps to reproduce the behavior:

Under ticket.agent, if you give an agent all permissions except Full, it should not actually be assigned any tickets in this Group, better said he should not assign the ticket to himself, as far as all is also correct. But The agent, which should not have any permission to take the ticket, can only select its own group, then it will be possible to take itself as owner, which can virtually bypass this and steal the ticket.

In my opinion, if he doesn’t have full permissions, then owner selection AND group selection must not be available to him, otherwise it doesn’t make sense.

The real problem is that the agents in a company must be able to write notes in any ticket outside their group, for other agents (this is guaranteed with change permissions in Zammad) but they must not be allowed to take the ticket to themselves or to their group. This is possible under OTRS and other ticket systems. but in Zammad is very difficult to refine the permissions

That does not make any sense.
If I can write in the group of question, I of course must be able to set the group accordingly.

But that makes sense. If you have given an agent “Change” authorization, he can obtain full authorization by switching the ticket to his own group.

Likewise, the “Role Management” permission is equal to full admin rights, because the agent can obtain this permission himself.

It must be prevented that an agent obtains full authorization for his own benefit.

That’s not true.
You require administrative permissions to update agent accounts.

“Normal” agents can never, at no point, provide role or group based permissions to other users.
If you allow updating the ticket, the agent will of course be able to change the group as this is part of updating the ticket.

This is working as intended. If you can’t trust your agents on this regard, maybe the person shouldn’t be an agent or have “sensitive” permission.

If you feel this is wrong, feel free to open a feature request here:

However note that your approach is bringing a lot more complexity into the product which we actually try to avoid.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.