Closed terdinatore closed 3 years ago
Thanks for this, @terdinatore. I am sure it will be helpful for others.
It really depends on your needs and honestly the only authentification method I did not use with Zammad is 'HTTP Token'.
I prefere to add an Application in Zammad under Settings -> API -> Applications (OAuth Authentication)
and to use that in favor. Also no extra user or role is required, as far as I am aware of. But it is also a while ago that I set up the last connection, it is running smoothely as it is.
Are there any other permissions (not) needed? Could there be a way to structure the plugin without needing Manage Groups and Manage Tags?
I see the point that you want to limit the permissions. However it depends on what you want to do via API. If you just want to embed the chat it will be different to a usecase where you want to have a comprehensive form that sets tags to tickets. I would need to investigate which permissions are required at least, did not use a limited account so far.
Below I wrote down / summarized, how I think in best practice an HTTP Token should be generated.
Manage Groups, Manage Tags, Manage Users, Access to Chat, Access to Agent Tickets, Manage Access Tokens and Manage Notifications
Access to Agent Tickets
give the role only the permission to create tickets for every group and nothing else. This is for two reasons. First, this way you can make sure that if the token gets leaked no one can read the tickets on your instance, second, this way users that have the Connector role do not show up in Zammad as they cannot have tickets assigned to them.Manage Token Access
andManage Notifications
. Give the token a name and set a suiting expiry date for the token. Click Create. Copy the token and close the window. Switch back to the administrator account.@ouun What do you think? Are there any other permissions (not) needed? Could there be a way to structure the plugin without needing
Manage Groups
andManage Tags
? Also, is there any advantage in using an OAuth token instead of HTTP?