How to reset or remove owner of a OTRS ticket? - otrs

Is there any way to remove the owner of a ticket?
I want to be able to remove the owner in following cases:
ticket closed
=> owner shall be none
ticket was answered by a specific person, but the next operation shall be handled by the full team
=> owner shall be none after the person has set the ticket into a specific state?
I have tried to use already the generic agent, but the GenericAgent is only able to set a specific agent, not to reset it. Or do I not understand something well?
Preferably I want to have the option in the generic agent, so I can automate some tasks.

You can set owner to system user "Admin OTRS" aka "root#localhost", for example via Perl API. [ getUserID(), TicketOwnerSet() ]
"next operation shall be handled by the full team" - this happens automatically when the ticket gets unlocked. And then you have lock timeouts to automatically unlock.

Related

Google Workplace Archived user suspended

I'm using Directory API to fetch users.
Some archived users are returning Suspended = True and others Suspended = False. How can it happen? From my understanding an archived user can't be Suspended.
Moreover, when I look at my admin page both of then are Suspended (image bellow)
Can anyone explain me why this is happening, and if it's normal, is there any risk if an archived user is not suspended?
If you open the image you can see inside the red box that both users are suspended. yes for sure:
"kind":"admin#directory#user",
"id":"10901XXXXXX620",
"etag":"\"SEQQBYC70u6XXXXNYw6b0a5EzY0mTMShjiZga8A/yP85WF6T0tk9a_pgQVEqRq9kHtY\"",
"primaryEmail":"ad....#aaa.com",
"name":{
"givenName":"Aaaa",
"familyName":"John",
"fullName":"Aaaaa John"
},
"isAdmin":false,
"isDelegatedAdmin":false,
"lastLoginTime":"2022-01-10T20:35:25.000Z",
"creationTime":"2020-10-15T22:40:55.000Z",
"agreedToTerms":true,
"suspended":false,
"archived":true,
"changePasswordAtNextLogin":false,
"ipWhitelisted":false,
"emails":[
{
"address":"ad....#aaa.com",
"primary":true
}
],
"languages":[
{
"languageCode":"pt",
"preference":"preferred"
}
],
"customerId":"C00pnlc1u",
"orgUnitPath":"/Suspensos",
"isMailboxSetup":true,
"isEnrolledIn2Sv":true,
"isEnforcedIn2Sv":true,
"includeInGlobalAddressList":true,
"thumbnailPhotoUrl":"https://www.google.com/s2/photos/private/AIbEiAIAAABDCPSAwvv50PWPfSILdmNhcmRfcGhvdG8qKDFhZWFiOTk4NzM5NDY1MjJlOWE4MmE0ODgxMzc3MjM4MzJiYzYyNDUwAUuoUxHJzf7midKhUvdRVmS3n2UE",
"thumbnailPhotoEtag":"\"SEQQBYC70u6XQ2UUjmjNYw6b0a5EzY0mTMShjiZga8A/hU3SJUEhoSHtQtx1ZyG7nXFnWgw\"",
"recoveryEmail":"aaaa#gmail.com"
}```
What you can see in the red box in the screenshots is just the organizational unit where the user has been located in the Admin console, however that is just a name for the OU and does reflect the actual user status.
The user status can be seen below the user's profile picture as you can see in the following screenshot:
As you can see the name of the OU is Test OU Suspended, but the user status is Active so the name of the OU does not reflect the user status.
So in your case this means that the user was archived correctly but is not necessarily suspended. Now to answer your question:
Can anyone explain me why this is happening, and if it's normal, is there any risk if an archived user is not suspended?
You may not need the user to be suspended as it has already been archived. When archiving a user it enters into a partial suspension state where according to the official documentation this is what happens to the archived account:
Can’t sign in to their Google Account, on any system. This includes Google Workspace services, such as Gmail, Google Calendar, and Drive.
Don’t appear in the Global Address List. In user directory listings, the user appears with archived status. Learn about the Global Address List.
Can be deleted or unarchived, but not suspended in the Admin console.
The documentation also mentions the following:
You can archive both active and suspended users. If you unarchive a user, they return to their previous state and regain access to all their previous data.
In conclusion there is nothing wrong if the user is suspended or not, this just means that if an archived user returns True in the Suspended parameter when using the API this is just to save the status it had before being archived so that in case you decide to unarchive it later on it returns back to that specific state.
References:
How AU licensing works

Approver doesn't see Approval state items in Sitecore Workflow

I want to test out the Sample Workflow in Sitecore 8. This is what I have done so far:
Insert the sample workflow in the standard values of the template
Created two test users: Test Editor and Test Approver
Created two roles: SubmitionRole and ApprovalRole
In Security Editor I assigned Read, Write access including the 3 workflow rights to the Draft state for the SubmitionRole role and assigned this role to Test Editor
In Security Editor I assigned Read, Write access including the 3 workflow rights to Awaiting Approval and and Approved states for the ApprovalRole role and assigned this role to Test Approver
Then I created an item from that template with the Test Editor and the item went into the Draft state. So I submitted the item in the Workbox.
Now when I log in with the Test Approver, there's nothing in the Workbox. I can see the Workflow and its Approval State in the Workbox, but there's nothing inside it. As admin I can see the item waiting in the Approval state.
Here is a screenshot of the Access Viewer for the Test Approver:
What am I missing here?
Ensure that your user/role has language read and write access to the relevant item languages located under /sitecore/system/Language. The Language Read and Language Write are a separate set of fields which you can expose in the Security Editor by selecting them from the "Columns" option. The content approval role needs both Language Read and Language Write on the relevant language items:
You don't need to assign Write access to the workflow state items (Awaiting Approval and Approved). This means that ApprovalRole is allowed to edit those items, not items in that state.
What you need to set is:
Workflow State Write for the Awaiting Approval state (controls whether or not a user can update items which are currently associated with a specific workflow state)
Workflow Command Execute for the commands below Awaiting Approval state which should be allowed for the role (controls whether or not a user is shown specific workflow commands)
Write access to the item itself (the one that was submitted from the Draft state to the Awaiting Approval state).
And that should be it.
.

Use persistent cookie to subscribe to an eventsource?

In this question Worklight: Push notification without User ID, the given answer was to subscribe a persistent cookie userID with the event source.. my question is: How can I do this? how can I use the userID given by the cookie ( I already got the userID ) to subscribe to my eventSource? Can't seem to find this anywhere on the internet
There is are additional questions you need to ask yourself, before looking into what you wrote.
Are you using Worklight 6.2 or above?
Are you looking to send generic information (i.e. not sensitive, per-user data (like bank account balance and the like))?
If the answer is 'yes' for both of the above, do not bother yourself with event source-based notifications. Instead, use either broadcast or tag-based notifications (tags = "topics of interest"). Using this approach does not require any additional work on your part other than actually sending the notification.
You can take a look at the documentation:
Developer Center: https://developer.ibm.com/mobilefirstplatform/documentation/getting-started-6-3/notifications/push-notifications-hybrid-applications/
Knowledge Center: http://www-01.ibm.com/support/knowledgecenter/SSHS8R_6.3.0/com.ibm.worklight.dev.doc/devref/t_tag-based_notifications_setting_up.html
In the following answer you can find an example for broadcast notifications (broadcast notification is a form of tag-based notifications): https://stackoverflow.com/a/27881423/1530814

How to deal with deep level granularization with XACML in enterprise application

I am using IS WSO2 for authorization with XACML. I am am able to achieve authorization for static resource. But I am not sure with the design when it comes to granularization.
Example : if I have method like getCarDetails(Object User) where I should get only those cars which are assigned to this particular user, then how to deal this with XACMl?
Wso2 provides support for PIP where we can use custom classes which can fetch data from database. But I am not sure if we should either make copy of original database at PDP side or give the original database to PIP to get updated with live data.
Because Cars would be dynamic for the application eg. currently 10 cars assigned to user Alice. suddenly supervisor add 20 more car in his list which will be in application level database. Then how these other 20 cars will be automatically assigned in policy at PDP level until it also have this latest information.
I may making some mistake in understanding. But I am not sure how to deal with this as in whole application we can have lots of this kind of complex scenario where some times we will get data for one user from more than 4 or 5 tables then how to handle that scenario?
Your question is a great and the answer will highlight the key benefits of XACML and externalized authorization as a whole.
In XACML, you define generic, global rules, about what is allowed and what isn't using what I would call high-level attributes e.g. attributes of the vehicle (in your case) or the user (role, department, ...)
For instance a simple rule could be (using the ALFA syntax):
policy viewCars{
target clause actionId=="view" and resourceType=="car"
apply firstApplicable
rule allowSameRegion{
permit
condition user.region==car.region
}
}
Both the user's region and the car's region are maintained inside the application's database. The values are read using a PIP or Policy Information Point (details here).
In your example, you talk about direct assignment, i.e. a user has been directly assigned to a vehicle. In that case, the rule would become:
policy viewCars{
target clause actionId=="view" and resourceType=="car"
apply firstApplicable
rule allowAssignedVehicle{
permit
condition user.employeeId==car.assignedUser
}
}
This means that the assigned user information must be kept somewhere, in the application database, a CSV file, a web service, or another source of information. It means that from a management perspective, an administrator would add / remove vehicles from a user's assigned list (or perhaps the other way around: add / remove assigned users from a vehicle's assigned user list).
The XACML rule itself will not change. If the supervisor adds 20 more cars to the employee's list (maintained in the application-level database), then the PDP will be able to use that information via the PIP and access will be granted or denied accordingly.
The key benefit of XACML is that you could add a second rule that would state a supervisor can see the cars he/she is assigned to (the normal rule) as well as the cars assigned to his/her subordinates (a new proxy-delegate rule).
This diagram, taken from the Axiomatics blog, summarizes the XACML flow:
HTH, let me know if you have further questions. You can download ALFA here and you can watch tutorials here.

In windows - API - How to get/use the current users privileges( or single sign on)

I am using vc++. I am trying to create a "front end" which will create a task and put that in " Window's native Scheduler". The task's action is invoking a backup app. Every task needs some privileges to execute the given program. I need to assign administrator privileges to this task. I can assure that the front end can be run by admin only. Now I want to use assign the current user's(admin) privileges to the task. Upto the dig I did in internet/msdn , the api provides below two options( 3rd option is my assumption)
1) Provide account name,password for that task.
2) Use flag "TASK_FLAG_RUN_ONLY_IF_LOGGED_ON", and give the administrator "account name", and password as NULL.
3)Single Sign on
Now the constraints:
1->It is not a good idea to make the client to type the admin account name and password frequently
2->Admin Account name is not always the same(in XP it is possible to change it). So I can't provide a default admin account name.
3-> I don't know how to achieve it. The "single sign on" is something like once you logged in as admin, then the applications can get the current(logged in) user's privileges.
Searching MSDN for this is like "searching a needle in hay stack". Somebody, please shed a light on the solution.
Maybe LocalSystem Account
http://msdn.microsoft.com/en-us/library/ms684190(VS.85).aspx