-
Notifications
You must be signed in to change notification settings - Fork 738
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Agent role permissions are ignored when there is only a single group #3437
Comments
Sorry, but this seems to be a technical question. In case this turns out the be a bug and no technical question, we'll transfer the relevant information to this repo! If you require commercial grade support and are no hosted or support contract customer, you can check out our support contracts here: https://zammad.com/pricing#selfhosted |
I am a bit confused about how the above can be construed as a question as I feel I have described a defect in the permissions model. I have also now raised it over on the Community Forum for a second opinion. Thanks. |
It's rather a feature request than a technical question, still, it should life on the community board first. |
I'm sorry but I respectfully disagree. Although we only need one logical Group for tickets, we require different levels of permissions for agents accessing that group. Some agents require read/write so that they can respond to customers, others just need read access so that they can view case updates. That second class of users should not be able to modify tickets in any way. It would appear that Zammad does not support that based on my report above, but the situation is made worse by the fact that the UI suggests that it is (you can assign role based permissions to a single group). This gives a false sense of security and introduces a silent elevation of privilege for agents that would appear to only have read only access according to the configuration in the UI. |
@MrGeneration I don't understand why this means it's not a bug? you've got silent privilege escalation here. The fact that you don't see "usually™" see it because you expect users to use groups in a certain way really doesn't change that, especially if this isn't documented anywhere. It's frankly a little concerning to see security issues dismissed out of hand. For clients using Zammad in security-critical contexts this is a massive red flag. |
I agree that the documentation may not point this out directly, however, if you have one group only, you'll by default have access as any agent user to that group. I would agree that it's a bug to provide a permission setting for the single group in question. I'm sorry. |
@MrGeneration Thank you for your patience whilst we discuss this issue. I appreciate it. I don't think I'm going to be able to make much further progress here but I want to take one more go to try and explain why this is an issue. I feel like the point of my argument is being lost.
That doesn't make sense, when you have implemented a role based access control system where multiple different categories of "Agents" can be defined with different access levels. Zammad easily lets me create an agent role that has full access to tickets, write-access, read-only access etc. Why should my "read-only" agents be forced to have full access when there is only one Zammad group and read-only access when there is two Zammad groups? That seems completely arbitrary. Stated differently, for organisations that only need one Group (let's say a Support group), Zammad won't allow them to use role-based access control for their agents. ALL agents in the organisation, regardless of their role permissions will be granted FULL access to all tickets. Conversely, an organisation with two Groups (lets say a Support group and Sales group), Zammad will allow them to use role based access control for their agents. The number of groups (logical containers of tickets) that a customer has, should have no impact on the ability to enforce access control. I can't think of any way that behavior could be deemed "by design" rather than a bug. |
So we've been digging deeper and were talking about this topic. It's correct we by default expects full permissions for single groups. The issue actually lays hidden in the UI. Your user has a hidden full permission set for your one group. |
Infos:
Expected behavior:
Actual behavior:
Steps to reproduce the behavior:
In summary: When there is only one group, Zammad behaves as if there is a hidden "FULL" group permission on user accounts which have the Agent permission enabled. This overwrites the explicit role based group permission. Only after creating a second group to "reveal" the implicit access control, can you correct the situation.
Yes I'm sure this is a bug and no feature request or a general question.
The text was updated successfully, but these errors were encountered: