Problems with "without full" permissions


  • Used Zammad version: 5.0.3
  • Used Zammad installation type: package
  • Operating system: Ubuntu
  • Browser + version: Firefox 96

Actual behavior:

  • According to the documentation, the meaning of full authorization is defined as follows.

Steps to reproduce the behavior:

Under ticket.agent, if you give an agent all permissions except Full, it should not actually be assigned any tickets in this Group, better said he should not assign the ticket to himself, as far as all is also correct. But The agent, which should not have any permission to take the ticket, can only select its own group, then it will be possible to take itself as owner, which can virtually bypass this and steal the ticket.

In my opinion, if he doesn’t have full permissions, then owner selection AND group selection must not be available to him, otherwise it doesn’t make sense.

The real problem is that the agents in a company must be able to write notes in any ticket outside their group, for other agents (this is guaranteed with change permissions in Zammad) but they must not be allowed to take the ticket to themselves or to their group. This is possible under OTRS and other ticket systems. but in Zammad is very difficult to refine the permissions

That does not make any sense.
If I can write in the group of question, I of course must be able to set the group accordingly.

But that makes sense. If you have given an agent “Change” authorization, he can obtain full authorization by switching the ticket to his own group.

Likewise, the “Role Management” permission is equal to full admin rights, because the agent can obtain this permission himself.

It must be prevented that an agent obtains full authorization for his own benefit.