User management on customer basis

Infos:

  • Used Zammad version: 3.4
  • Used Zammad installation source: package
  • Operating system: Debian 10
  • Browser + version: Firefox 80

Expected behavior:

We are currently evaluating the implementation of Zammad in our IT-Helpdesk environment. Our major customers have up to 120 employees and every one of them should be able to create Tickets. Therefore everyone needs an account. We are unable to manage all of them manual. (Team of 4) Therefore we’d like to know, if it is possible to create key management accounts to externalize this task to customer-side. These accounts should be able to manage users from their own company, so we don’t have to initially create and manage every user. But these must not be able to view users of other company’s (due to GDPR regulations)

Alternatively Users should be synced (incl. password) from the customers Active Directory - this would reduce user management to AD side (like Azure Connect - to sync Users between “on premise AD” and Office 365)

Actual behavior:

Situation unclear.

It looks like, there is just one global user management list, where all users are listed to every user with management rights. Permissions granularity is not fine enough to achieve this setting

It also looks, like it is not possible to connect multiple Active Directorys

Welcome to the Zammad unsiverse,

Zammad does not allow synchronization from multiple ldap sources, this is correct.
This leaves you to -in my opinion- three possible options:

  • allow your customer to create an helpdesk account when it’s needed (this happens automatically if an unknown user sends you a mail)
    • downside: local password is required within Zammad
    • downside: no synchronization whatsoever
    • pro: externalized the task to the individual user of your customer
    • other persons not being your customers may also create an account manually
    • relevant docs: https://admin-docs.zammad.org/en/latest/settings/security.html
  • provide office 365 login for your users (outdated documentation)
    • pro: single sign on like, no local password in Zammad needed
    • downside: all microsoft accounts can be used for such a task
    • downside: no synchronization beforehand
    • downside: The documentation to this part is highly deprecated at the moment ;-(
  • CSV import your users ( https://admin-docs.zammad.org/en/latest/manage/users.html )
    • this can also be automated via API if needed ( https://docs.zammad.org/en/latest/api-intro.html )
    • pro: allows synchronization
    • downside: local passwords again, password synchronization only possible if you know the users password (I’m sure you don’t want to know :wink: )
    • downside: Initially a burden to create an API script or export the CSV to import it to Zammad

That’s the poison Zammad currently is able to let you choose from
Possibly also SAML ( https://admin-docs.zammad.org/en/latest/settings/security/third-party/saml.html ) could be an option for you, not sure though!


Please also note that you should never provide customers agent like access permissions!
Zammad does not provide a per group or per organization user database. The user database is global which means that as soon as you’re allowed to manage users, you potentially can see them all. I’m sure you don’t want that.

You could workaround above situation with a lot of custom API scripts, but right now I’m sure it’s not worth this effort. Especially if your team is rather “small” in comparision to your user base you’re supporting.