Help with ACL Accesss Control Lists

[rvaldomir]

Hi,

I defined a couple of ACLs to filter the possible ticket state depending of the current ticket state.

Seems to be working but some cases are getting in a loop, any help to solve this?

here my ACL.pm placed under Kernel/Config/Files/

Code: Select all

    
    ##########################################################################
    # Statemachine - Incident

    # If state is Analyze
	$Self->{TicketAcl}->{'ANALYZE_STATE'} = {
        Properties => {
            Ticket => {
                State   => [ 'Analyze', ],
            },
        },
        Possible => {
            Ticket => {
                State => [ 'Assignee Requires More Information','Placed on Hold by Assignee','Work in Progress', ],
            },
        },
    };
	
	# If state is Not Sumbited
	$Self->{TicketAcl}->{'NOT_SUMITED_STATE'} = {
        Properties => {
            Ticket => {
                State   => [ 'Not Sumbited', ],
            },
        },
        Possible => {
            Ticket => {
                State => [ 'Ready for Review','Cancelled', ],
            },
        },
    };
	
	# If state is Ready for Review
	$Self->{TicketAcl}->{'READY_OR_REVIEW'} = {
        Properties => {
            Ticket => {
                State   => [ 'Ready for Review', ],
            },
        },
        Possible => {
            Ticket => {
                State => [ 'Analyze','Out of Scope','Cancelled', ],
            },
        },
    };

	# If state is Waiting for an Action
	$Self->{TicketAcl}->{'WAITING_FOR_AN_ACTION'} = {
        Properties => {
            Ticket => {
                State   => [ 'Waiting for an Action', ],
            },
        },
        Possible => {
            Ticket => {
                State => [ 'Analyze', ],
            },
        },
    };
	
	# If state is Out of Scope
	$Self->{TicketAcl}->{'OUT_OF_SCOPE'} = {
        Properties => {
            Ticket => {
                State   => [ 'Out of Scope', ],
            },
        },
        Possible => {
            Ticket => {
                State => [ ],
            },
        },
    };
	
	# If state is Opened by Error
	$Self->{TicketAcl}->{'OPENED_BY_ERROR'} = {
        Properties => {
            Ticket => {
                State   => [ 'Opened by Error', ],
            },
        },
        Possible => {
            Ticket => {
                State => [ ],
            },
        },
    };

	# If state is Out of Scope
	$Self->{TicketAcl}->{'PENDING_REQUESTOR_SIGNOFF'} = {
        Properties => {
            Ticket => {
                State   => [ 'Pending Requestor Signoff', ],
            },
        },
        Possible => {
            Ticket => {
                State => [ 'Analyze', 'Pending Auto Close', ],
            },
        },
    };	
	
	# If state is Cancelled
	$Self->{TicketAcl}->{'CANCELLED'} = {
        Properties => {
            Ticket => {
                State   => [ 'Cancelled', ],
            },
        },
        Possible => {
            Ticket => {
                State => [ ],
            },
        },
    };	
	
	# If state is Auto-Hard Closed
	$Self->{TicketAcl}->{'AUTO-HARD_CLOSED'} = {
        Properties => {
            Ticket => {
                State   => [ 'Auto-Hard Closed', ],
            },
        },
        Possible => {
            Ticket => {
                State => [ 'Ready for Review', ],
            },
        },
    };
	
	# If state is Closed Successful
	$Self->{TicketAcl}->{'CLOSED_SUCCESSFUL'} = {
        Properties => {
            Ticket => {
                State   => [ 'Closed Successful', ],
            },
        },
        Possible => {
            Ticket => {
                State => [  ],
            },
        },
    };
	
	# If state is Closed Unsuccessful
	$Self->{TicketAcl}->{'CLOSED_UNSUCCESSFUL'} = {
        Properties => {
            Ticket => {
                State   => [ 'Closed Unuccessful', ],
            },
        },
        Possible => {
            Ticket => {
                State => [ 'Rady for Review', 'Work In Progress', ],
            },
        },
    };
	
	# If state is Pending Auto Close
	$Self->{TicketAcl}->{'PENDING_AUTO_CLOSE'} = {
        Properties => {
            Ticket => {
                State   => [ 'Pending Auto Close', ],
            },
        },
        Possible => {
            Ticket => {
                State => [ 'Auto-Hard Closed', ],
            },
        },
    };
	
	# If state is Work in Progress
	$Self->{TicketAcl}->{'WORK_IN_PROGRESS'} = {
        Properties => {
            Ticket => {
                State   => [ 'Work in Progress', ],
            },
        },
        Possible => {
            Ticket => {
                State => [ 'Pending Requestor Signoff', 'Assignee Requires More Information', 'Placed on Hold by Assignee', 'Waiting for an Action', ],
            },
        },
    };
	
	# If state is Placed on Hold by Assignee
	$Self->{TicketAcl}->{'PLACED_IN_HOLD_BY_ASSIGNEE'} = {
        Properties => {
            Ticket => {
                State   => [ 'Placed on Hold by Assignee', ],
            },
        },
        Possible => {
            Ticket => {
                State => [ 'Work in Progress', 'Pending Auto Close', ],
            },
        },
    };
	
	# If state is Assignee Requires More Information
	$Self->{TicketAcl}->{'ASSIGNEE_REQUIRES_MORE_INFORMATION'} = {
        Properties => {
            Ticket => {
                State   => [ 'Assignee Requires More Information', ],
            },
        },
        Possible => {
            Ticket => {
                State => [ 'Work in Progress', 'Pending Auto Close', ],
            },
        },
    };
1;

[crythias]

First, reference
Without extensive review of the code, it seems that you're restricting the field that you're changing.

Look at "PropertiesDatabase" versus "Properties". The former references what is already stored in the database for the ticket. The latter references what's on the web page (javascript).

[rvaldomir]

Thanks crythias fot lr your response.

I forgot to clarify that the idea is to apply those kind of filters when you are in the compose ticket form or answering it.

My idea is to restric the next possible state when you are updating a ticket depending on the current state.

Us I understand from the link you mentioned is for process to run in background. True?

Thanks again.

[crythias]

the idea is to apply those kind of filters when you are in the compose ticket form or answering it.

That's essentially the only place where ACLs are applied, yes. (Javascript/AJAX in any OTRS web form).

I understand from the link you mentioned is for process to run in background. True?

I'm not sure how to answer your question. The web form uses AJAX to query the server to validate the ACL "OnChange" of the fields that trigger ACL checks, which is most of the fields. You'll notice spin icons to the right of ACL and group affected fields when a trigger field is changed.

If you ask me if ACL is processed AFTER the form is submitted, no. ACL is for live filtered showing of form data.

restric the next possible state when you are updating a ticket depending on the current state.

Yes, but the current state is either the state in the database or the state on the screen. If you're creating a fresh ticket, you can and should only provide states (ACL Possible) that are valid for the form (FrontEnd Action). You can indicate in the ACL which form(s) to which the ACL applies (FrontEnd Action). It doesn't make sense on new ticket creation to be limited to next states.

Then, if you answer a ticket, you probably only want to have valid next states based upon the ticket's current database next state (PropertiesDatabase), not any human changed state on the screen (Properties). That is, if the ticket is currently (PropertiesDatabase) State Analyze, then, and only then are the next states the applicable possible.

[rvaldomir]

Hi crythias,

It works with PropertiesDB. Thanks!

just a one more question:

I want to limit possible actions to users, disabling

-Lock
-Priority
-Free Fields
-Link
-Owner
-Responsible
-Customer
-Phone Call Outbound
-Phone Call Inbound
-Pending
-Close

If a ticket is closed.

Based on this example from the manual

Code: Select all

$Self->{TicketAcl}->{'102-Second-Example-ACL'} = {
    # match properties
    Properties => {
        # current ticket match properties
        Ticket => {
            Queue => ['Raw'],
        }
    },
    # return possible options (white list)
    Possible => {
        # possible ticket options (white list)
        Ticket => {
            State => ['new', 'open', 'pending reminder'],
        },
    },
    3 return also not possible options (black list)
    PossibleNot => {
        # not possible action options
        Action => [ 'AgentTicketClose' ],
    },
};

the next solution could work but "Action" is not available with "PossibleNot"

example.png

[crythias]

Note that text/written configs still function, so there's that. Also most clickable actions on the web interface have group properties, so group membership can be used instead of ACL unless you need ACL conditions to disable.

[rvaldomir]

I would like to use ACL because administration will be easier to understand for the next admin. and users<->groups is disable Im only using users<->Roles

[wurzel]

Hi,

Search in sysconfig for PossibleNot and find TicketACL or similar.

There you can define Action for PossibleNot.

Works fine.

Flo

[rvaldomir]

Solved:

solution.png