- Used Zammad version: 5.0.3
- Used Zammad installation type: package
- Operating system: Ubuntu
- Browser + version: Firefox 96
- According to the documentation, the meaning of full authorization is defined as follows.
Under ticket.agent, if you give an agent all permissions except Full, it should not actually be assigned any tickets in this Group, better said he should not assign the ticket to himself, as far as all is also correct. But The agent, which should not have any permission to take the ticket, can only select its own group, then it will be possible to take itself as owner, which can virtually bypass this and steal the ticket.
In my opinion, if he doesn’t have full permissions, then owner selection AND group selection must not be available to him, otherwise it doesn’t make sense.
The real problem is that the agents in a company must be able to write notes in any ticket outside their group, for other agents (this is guaranteed with change permissions in Zammad) but they must not be allowed to take the ticket to themselves or to their group. This is possible under OTRS and other ticket systems. but in Zammad is very difficult to refine the permissions