User Permissions - How to setup Organization Managers

Hello Team, first of all thank you so much for building such a nice usable product to handle support desks. I’m evaluating the product over last few weeks and it has been great.

The use case I have is as follows: We provide support to multiple Organizations. Each Organization is managed by an Account Manager. Our support agents are common across all organizations. We have created Groups for each category of the agents (Finance, HR, Legal etc.)

I would like to setup access to Account Managers restricted to specific organizations. The moment I assign them agent access and assign them a group, it is giving them access to tickets from all organizations.

How do I setup access where Account Managers can see filtered tickets in the group based on the organization they are assigned to?

Is it an option for the Account Managers to not interact in the tickets?
If yes, then you can create a role “Account Managers” and set the “Access to Customer Tickets based on current_user and organization”. Then set the user “AM1” with the chosen Org and with the role “Account Managers”. Now AM1 only sees tickets for that org, BUT can only do “customer”-stuff on the ticket, open/close and write public notes.

1 Like

Thank you so much @fredrikmagnusson-mf for putting some effort and coming up with an idea. It was frustrating to see no responses.

There are two concerns to your suggested approach:

  • The account managers belong to our organization, so misrepresenting them as belonging to customer organization would violate single source of truth principle.
  • Few account managers are shared for multiple customers, and we cannot set that a user belongs to multiple organizations.

For those having similar requirement, I ended up creating a group for each customer and assigning groups to the account managers. A custom field was added in the ticket object for category, and I created different overviews for each category and within the overview I have assigned the agents who can see those overviews. So Finance agents can see only one overview that lists down finance tickets using the custom category field in the ticket. A roundabout method, but works for now. Whenever a new customer is onboarded, we create an organization, a group, a trigger to auto assign group for that organization and update account manager user to provide access to the group.

You mean account managers of your customer now have agent permissions on groups?
You are aware that this means you’ve created a data privacy issue on your instance?
Agents can find every single existing user in the instance, no matter if they have tickets in a group or not.

Just to make sure.

No no, account managers belong to my company. Accounts are Customers, and Account Managers are my company employees who front-end the customers. Account Managers are like agents, but they don’t actually work on any tickets. They just need to have their finger on the pulse i.e. at any time they should be able to see what tickets came from customer, how many resolved, what are open tickets etc. so that when they talk to customers they have all the info they need.

What I meant when I say I created a group for each customer, I created a group for each customer “Organization”. I know in Zammad you call the Organization users as Customers, where as in a B2B (Business to Business) setup, Customer for the Company is an Organization. Each employee of the organization isn’t called a customer. I mixed up terminology of Zammad and real-life :smiley:

1 Like

Mr Generation, you are talking about my current problem: " Agents can find every single existing user in the instance".
What I am trying to to is, to have multiple Agent-Teams having only permission to defined customers / organizations and their employees.
Will this be on your roadmap? Is there a way to pay for this feature request to get it on your roadmap?
I really like Zammad and the way it has evolved,