To be able to provide Power-Users or Admins also accesses to the Admin section, you have to enable the permissions to it. But sadly as a default, only the admin group is allowed to modify it. Here you will learn how to configure it, to be accessible to other users too.
Your knowledge prerequisites to this article
- How to change and deploy Setting in System Configuration
- How to create Groups and Roles
Recommended naming schema for the Groups and Roles
We recommend to define a naming schema for the privilege level and the experience level in Znuny, OTRS or OTOBO. We recommend to use something like the following:
Group and Role namings
- Admin
this are Administrators, who clearly know what may happen if they change settings on the Admin area. Here you shall only add experienced Znuny, OTRS or OTOBO admins, who have major experiences on the Admin functions. Basically a smaller subset of the Admin Group itself - PowerUser
we use this as a set of users, who shall be able to define things for the organizations or the team. Who maybe a first contact to a internal team, before he escalates it further to the Admins.
E.g. we often use PowerUser to add users, which may require to define Templates and Attachment to Templates mappings and Template to Queue mappings. - and so on
Permission level naming schema
Even if Znuny is right now not using properly the permission system for the CRUD (create, read, update and delete) operations, you shall be prepared to name your Groups accordingly. We use following schema here:
- readOnly
like the name states, only allowed to see/read what is configured, but no permissions to modify at all - createModify
like this name states additionally to the read, the user is allowed to create or modify configurations or settings - createModifyDelete
additionally the permission to delete settings or configurations
Creating the required permission and authorizations mapping
We have Users, Groups and Roles. Sadly it there is no standard for this mappings. Znuny has choosen to use Groups for mapping permissions to it. E.g. you can only assign a queue to a group. Instead to be able to assign a Queue to a Authorization and to map this authorization to a group of users.
But it is as it is, so we have to cope with it…
Create a new groups for the access to Admin menu
For the further processing we assume we want to add settings to allow editing of the Generic Agents for non admin users. For this we define following new groups to allow Admin users to edit the GenericAgent rules
- Grp_Admin_GenericAgent-readOnly
- Grp_Admin_GenericAgent-createModify
- Grp_Admin_GenericAgent-createModifyDelete
How to add the new groups?
Open the Group administration UI https://<yourOtrsUrl>/index.pl?Action=AdminGroup or via this steps:
- open menu Admin
- click on Group in Section Users, Groups & Roles (on OTRS Agent Management)
- click on Add Group
- add a new group Grp_Admin_GenericAgent-createModify with validity valid
- Save and finish
- Repeat the above steps for the Groups Grp_Admin_GenericAgent-createModifyDelete and Grp_Admin_GenericAgent-readOnly
Define new Role(s) to represent your permission and authorizations to your org
You shall define a Role, which maps your business Roles to groups. E.g. we recommend to define a Role with the name
Open the Role administration UI https://<yourOtrsUrl>/index.pl?Action=AdminRole or via this steps:
- open menu Admin
- click on Roles in Section Users, Groups & Roles (on Znuny / OTRS Agent Management)
- click on Add Role
- add a new role Role_Admin_GenericAgent with validity valid
- Save and finish
- Repeat the above steps for the role Role_PowerUser_GenericAgent
Assign groups to roles
Finally we need to assign the groups to our roles in following manner. This is done at https://<yourOtrsUrl>/index.pl?Action=AdminRoleGroup or via this steps:
- open menu Admin
- click on RolesRoles ↔ Groups in Section Users, Groups & Roles (on Znuny / OTRS Agent Management)
- click on your role Role_Admin_GenericAgent
- and add the required permissions to your Role by following pattern:
- Role_Admin_GenericAgent
having the groups assigned- Grp_Admin_GenericAgent-createModify
- Grp_Admin_GenericAgent-createModifyDelete
- Grp_Admin_GenericAgent-readOnly
- Role_Admin_GenericAgent
- Save and finish
Finally repeat the same for this
- Role_PowerUser_GenericAgent
having the group assigned- Grp_Admin_GenericAgent-readOnly
Assign roles to your corresponding users
Finally you need to assign a role to your specific users at https://<yourOtrsUrl>/index.pl?Action=AdminRoleUser or via this steps:
- open menu Admin
- click on Agents ↔ Roles in Section Users, Groups & Roles (on Znuny / OTRS Agent Management)
- click on your user and assign him the wished role
Giving access to a module like Generic Agent
Modules like Generic Agent can be enhanced to check the permission system. Typically all modules under the menu Admin are only accessible by the Admin group.
General module permissions in Znuny, OTRS and OTOBO
The configuration system is separated into basically to parts.
- Who can access the navigational Admin menu/area
- Who can access a module like Generic Agent
Configure access to Admin menu/area
You first need to allow your new created group to access the Admin section at all. This section contains all the Admin Modules. One of the Modules is the Generic Agent and will be explained in the later chapter.
Make Admin menu visible and clickable to a group
With this settings you are enabling the Menu Admin to display for additional groups (beside of default “admin” group)
Go to the Admin menu
- open menu Admin
- click on System Configuration in Section Administration
- search here for the value Frontend::Navigation###Admin###001-Framework
- now add in the block “Group” a new row on the same level as the “admin” group already added there, with your group name Grp_Admin_GenericAgent-createModify
- repeat the same for the other groups too
Make Admin Frontend/UI accessible to group
This allows access to the Frontend Admin Module itself. Execute the same steps as before but now with: Frontend::Module###Admin instead of Frontend::Navigation###Admin###001-Framework
Configure now the modules Generic Agent for access to the groups
For this read the article Allow non-Admins access to Generic Agent OTRS / Znuny?
Related articles
Allow non-Admins to access Templates in OTRS / Znuny
Allow non-Admins access to Generic Agent OTRS / Znuny?