combination of IP and user access

[srinirgk]

We are actually using the OTRS version 3.1.18. We use it for receiving customer queries.

Out of that i have a queue subscribed for receiving sensitive contents(Card numbers).

I have given access to very few people to use the OTRS too inside a PCI zone. Now we would like to use the OTRS (web based), outside the PCI room. In order to do so, i would like to block the queue's that contains the card numbers, for the same users.

Is it possible to do any configuration to create a scenario like, see all the queues in PCI room and see the other queues(except the sensitive data queues) outside the PCI room ? Few are saying that, it is technically feasible ? could any one give their thoughts ????

Thanks in Advance.

[crythias]

No. The best you can do without programming is to use different usernames off and on.

Additionally, you can possibly use HTTPAuth to restrict logins

http://httpd.apache.org/docs/current/mo ... ml#require

Basically,
http://httpd.apache.org/docs/current/mo ... authzalias

Code: Select all

AuthType Basic
AuthName "PCI restriction"
AuthBasicProvider file
AuthUserFile (file list of Auth users)
AuthGroupFile (file list of groups)
<RequireAll>
   Require ip cardroomipaddress
   Require group pciusersgroup
</RequireAll>
Require not group pciusersgroup

This is an untested example, but may or may not work. There are likely syntax and other issues that don't apply to you.

[srinirgk]

Thanks crythias.

To get it cleared, did you meant that we can able to authenticate users based on IP? If that is possible then that will be a clear solution for me.

~Srinivas

[crythias]

did you meant that we can able to authenticate users based on IP?

Not exclusively by IP. You still have to provide a valid user and password *at* that IP address. But more or less, I think "yes" ... you can restrict who logs in at a given IP address.

Note also that it's possible to use ldap/active directory groups within this authentication. See the apache documentation.