Under ticket.agent, if you give an agent all permissions except Full, it should not actually be assigned any tickets in this Group, better said he should not assign the ticket to himself, as far as all is also correct. But The agent, which should not have any permission to take the ticket, can only select its own group, then it will be possible to take itself as owner, which can virtually bypass this and steal the ticket.
In my opinion, if he doesn’t have full permissions, then owner selection AND group selection must not be available to him, otherwise it doesn’t make sense.
The real problem is that the agents in a company must be able to write notes in any ticket outside their group, for other agents (this is guaranteed with change permissions in Zammad) but they must not be allowed to take the ticket to themselves or to their group. This is possible under OTRS and other ticket systems. but in Zammad is very difficult to refine the permissions
That’s not true.
You require administrative permissions to update agent accounts.
“Normal” agents can never, at no point, provide role or group based permissions to other users.
If you allow updating the ticket, the agent will of course be able to change the group as this is part of updating the ticket.
This is working as intended. If you can’t trust your agents on this regard, maybe the person shouldn’t be an agent or have “sensitive” permission.
If you feel this is wrong, feel free to open a feature request here:
However note that your approach is bringing a lot more complexity into the product which we actually try to avoid.