Allow non-Admins access Admin-menu in OTRS / Znuny / OTOBO

To be able to provide Power-Users or Admins also accesses to the Admin section, you have to enable the permissions to it. But sadly as a default, only the admin group is allowed to modify it. Here you will learn how to configure it, to be accessible to other users too.

Your knowledge prerequisites to this article

  • How to change and deploy Setting in System Configuration
  • How to create Groups and Roles

Recommended naming schema for the Groups and Roles

We recommend to define a naming schema for the privilege level and the experience level in Znuny, OTRS or OTOBO. We recommend to use something like the following:

Group and Role namings

  • Admin
    this are Administrators, who clearly know what may happen if they change settings on the Admin area. Here you shall only add experienced Znuny, OTRS or OTOBO admins, who have major experiences on the Admin functions. Basically a smaller subset of the Admin Group itself
  • PowerUser
    we use this as a set of users, who shall be able to define things for the organizations or the team. Who maybe a first contact to a internal team, before he escalates it further to the Admins.
    E.g. we often use PowerUser to add users, which may require to define Templates and Attachment to Templates mappings and Template to Queue mappings.
  • and so on

Permission level naming schema

Even if Znuny is right now not using properly the permission system for the CRUD (create, read, update and delete) operations, you shall be prepared to name your Groups accordingly. We use following schema here:

  • readOnly
    like the name states, only allowed to see/read what is configured, but no permissions to modify at all
  • createModify
    like this name states additionally to the read, the user is allowed to create or modify configurations or settings
  • createModifyDelete
    additionally the permission to delete settings or configurations

Creating the required permission and authorizations mapping

We have Users, Groups and Roles. Sadly it there is no standard for this mappings. Znuny has choosen to use Groups for mapping permissions to it. E.g. you can only assign a queue to a group. Instead to be able to assign a Queue to a Authorization and to map this authorization to a group of users.

But it is as it is, so we have to cope with it…

Create a new groups for the access to Admin menu

For the further processing we assume we want to add settings to allow editing of the Generic Agents for non admin users. For this we define following new groups to allow Admin users to edit the GenericAgent rules

  • Grp_Admin_GenericAgent-readOnly
  • Grp_Admin_GenericAgent-createModify
  • Grp_Admin_GenericAgent-createModifyDelete

How to add the new groups?

Open the Group administration UI https://<yourOtrsUrl>/index.pl?Action=AdminGroup or via this steps:

  • open menu Admin
  • click on Group in Section Users, Groups & Roles (on OTRS Agent Management)
  • click on Add Group
  • add a new group Grp_Admin_GenericAgent-createModify with validity valid
  • Save and finish
  • Repeat the above steps for the Groups Grp_Admin_GenericAgent-createModifyDelete and Grp_Admin_GenericAgent-readOnly

Define new Role(s) to represent your permission and authorizations to your org

You shall define a Role, which maps your business Roles to groups. E.g. we recommend to define a Role with the name

Open the Role administration UI https://<yourOtrsUrl>/index.pl?Action=AdminRole or via this steps:

  • open menu Admin
  • click on Roles in Section Users, Groups & Roles (on Znuny / OTRS Agent Management)
  • click on Add Role
  • add a new role Role_Admin_GenericAgent with validity valid
  • Save and finish
  • Repeat the above steps for the role Role_PowerUser_GenericAgent

Assign groups to roles

Finally we need to assign the groups to our roles in following manner. This is done at https://<yourOtrsUrl>/index.pl?Action=AdminRoleGroup or via this steps:

  • open menu Admin
  • click on RolesRoles ↔ Groups in Section Users, Groups & Roles (on Znuny / OTRS Agent Management)
  • click on your role Role_Admin_GenericAgent
  • and add the required permissions to your Role by following pattern:
    • Role_Admin_GenericAgent
      having the groups assigned
      • Grp_Admin_GenericAgent-createModify
      • Grp_Admin_GenericAgent-createModifyDelete
    • Grp_Admin_GenericAgent-readOnly
  • Save and finish

Finally repeat the same for this

  • Role_PowerUser_GenericAgent
    having the group assigned
    • Grp_Admin_GenericAgent-readOnly

Assign roles to your corresponding users

Finally you need to assign a role to your specific users at https://<yourOtrsUrl>/index.pl?Action=AdminRoleUser or via this steps:

  • open menu Admin
  • click on Agents ↔ Roles in Section Users, Groups & Roles (on Znuny / OTRS Agent Management)
  • click on your user and assign him the wished role

Giving access to a module like Generic Agent

Modules like Generic Agent can be enhanced to check the permission system. Typically all modules under the menu Admin are only accessible by the Admin group.

General module permissions in Znuny, OTRS and OTOBO

The configuration system is separated into basically to parts.

  1. Who can access the navigational Admin menu/area
  2. Who can access a module like Generic Agent

Configure access to Admin menu/area

You first need to allow your new created group to access the Admin section at all. This section contains all the Admin Modules. One of the Modules is the Generic Agent and will be explained in the later chapter.

Make Admin menu visible and clickable to a group

With this settings you are enabling the Menu Admin to display for additional groups (beside of default “admin” group)

Go to the Admin menu

  • open menu Admin
  • click on System Configuration in Section Administration
  • search here for the value Frontend::Navigation###Admin###001-Framework
  • now add in the block “Group” a new row on the same level as the “admin” group already added there, with your group name Grp_Admin_GenericAgent-createModify
  • repeat the same for the other groups too

Make Admin Frontend/UI accessible to group

This allows access to the Frontend Admin Module itself. Execute the same steps as before but now with: Frontend::Module###Admin instead of Frontend::Navigation###Admin###001-Framework

Configure now the modules Generic Agent for access to the groups

For this read the article Allow non-Admins access to Generic Agent OTRS / Znuny?

Related articles

Allow non-Admins to access Templates in OTRS / Znuny
Allow non-Admins access to Generic Agent OTRS / Znuny?

Do you need help with Znuny / OTRS?
We have lot of experiences with OTRS and Znuny and can help you with your issues. Get in touch with us and we will check if and how we can help you.

Leave a Comment

Do you need help with Znuny / OTRS?​

We have lot of experiences with OTRS and Znuny.
We can help you with your issues to solve them.

From giving you support up to implementing integrations to your existing systems.

Get in touch with us and we will check if and how we can help you.​