Skip to main content
All CollectionsPermissions
Ticketing Access Control List (ACLs)
Ticketing Access Control List (ACLs)

Learn how to manage Ticketing ACLs with Merge's unified API

Updated over a week ago

Overview

An ACL (Access Control List) is a security feature used in systems (e.g., networking, file systems, databases) to define rules for what users or systems can access specific resources and what actions they can perform on them.

Key Components of an ACL in Merge's Ticketing API

  1. The subject requesting access: Users or Teams (a group of users)

  2. The object to be accessed: Tickets and Collections (a group of tickets)

  3. The permissions allowed: Roles

All of the following have access to read a Ticket

  1. Assignees: Users or Teams that are directly responsible

  2. Viewers: inclusive of Users or Teams with any level of access e.g., assignees and followers, etc

How to determine ticket access

How to determine if an individual or a team has access to a specific ticket

  1. Fetch all tickets of interest: GET /tickets

  2. Determine users that have access to a Ticket

    1. Use GET /ticket/{ticket_id}/viewers which returns a list of Permission objects that point to a User id or Team id that are viewers of a Ticket with the given id.

  3. Use a query param for Teams on the Users object (GET /users?team={team_id}) to return the list of Users that are associated with the teams with access to a ticket

How to determine ticket assignment

How to determine which individuals or teams are assigned to a specific ticket

  1. Fetch all tickets of interest GET /tickets

  2. Users: see the ticket.assignees field

  3. Teams: see the ticket.assigned_teams field

How to determine available user actions

How to determine what level of access a user has been granted for a specific ticket

  1. The Roles Common Model is used to get all roles available in Merge

  2. The Merge User.roles Common Model relates a User to their role(s)

  3. The Merge Ticket.roles Common Model indicates the roles that have access to this ticket and what specific actions e.g., read, write

  4. To related users to their ticketing roles, hit the Users endpoints and filter on users with those specific roles GET /users?role={role_id}

Considerations

  • Overrides: Ticket-level permissions override collection level permissions

  • Field level ACLs: Merge does not support permissions at the field level. Only a few systems like ServiceNow have support for field level permissions. If you would like to maintain access at the field level, consider having each individual authenticate using their credentials. That way permissions are maintained by the third-party platform.

Related Articles
What are Merge's role-based access controls (RBAC)?
User vs. Contact in the Ticketing API
Live Search for Ticketing
CRM Access Control List (ACLs)
File Storage Access Control List (ACLs)
Did this answer your question?