Skip to main content
All CollectionsPermissions
Ticketing Access Control List (ACLs)

Ticketing Access Control List (ACLs)

Learn how to manage Ticketing ACLs with Merge's unified API

Updated over 3 weeks ago

Overview

An ACL (Access Control List) is a security feature used in systems (e.g., networking, file systems, databases) to define rules for what users or systems can access specific resources and what actions they can perform on them.

Key Components of an ACL in Merge's Ticketing API

  1. The subject requesting access: Users or Teams (a group of users)

  2. The object to be accessed: Tickets and Collections (a group of tickets)

  3. The permissions cascade based on: access_level (enum field on tickets and collections to indicate where access is inherited from)

All of the following have access to read a Ticket

  1. Assignees: Users or Teams that are directly responsible

  2. Viewers: Inclusive of Users or Teams with any level of access. They could be directly assigned or tagged as a follower of a ticket/collection.

How to determine ticket access

How to determine if an individual or a team has access to a specific ticket

  1. Fetch all tickets of interest: GET /tickets

  2. Determine users that have direct access to a Ticket

    1. Use GET /ticket/{ticket_id}/viewers which returns a list of Viewer objects that point to a User id or Team id that are viewers of a Ticket with the given id.

  3. Use a query param for Teams on the Users object (GET /users?team={team_id}) to return the list of Users that are associated with the teams with access to a ticket

  4. Determine users that have indirect access to a Ticket by using the access_level field on the Ticket object

    1. If access_level = PRIVATE, then everyone with access has direct access and can be retrieved via the GET /ticket/{ticket_id}/viewers endpoint.

    2. If access_level = COLLECTION, then all Viewers from the ticket's collections have indirect access.

      1. Use GET /collections/{collection_id}/viewers to retrieve all users

      2. Use the access_level field on the Collection object to determine if you need to traverse a level higher to retrieve the parent collection and their viewers.

    3. If access_level = COMPANY, then all Users at the company have the ability to view the given ticket.

    4. If access_level = PUBLIC, then all Users and select external parties have access to the ticket.

ENUM Value for access_level on Tickets

Definitions

PUBLIC

All internal and select external users and teams can access this ticket

COMPANY

All users and teams from the company can access this ticket

COLLECTION

Only users and teams who have access to the parent collection can access this ticket

PRIVATE

Only a specific subset of users and teams can access this ticket

How to determine ticket assignment

How to determine which individuals or teams are assigned to a specific ticket

  1. Fetch all tickets of interest: GET /tickets

  2. Users: see the ticket.assignees field

  3. Teams: see the ticket.assigned_teams field

Considerations

  • Overrides: Ticket-level permissions override collection level permissions

  • Field level ACLs: Merge does not support permissions at the field level. Only a few systems like ServiceNow have support for field level permissions. If you would like to maintain access at the field level, consider having each individual authenticate using their credentials. That way permissions are maintained by the third-party platform.

Related Articles
What are Merge's role-based access controls (RBAC)?
Live Search for Ticketing
CRM Access Control List (ACLs)
File Storage Access Control List (ACLs)
Understanding Access Control Lists (ACLs)
Did this answer your question?