where I thought I could restrict the tickets returned, used, in the index data provider. But then I also need to have rules in place for view, update, delete, so the user can’t access others tickets if he tries to edit the URL directly.
Is the Controller rule the best place for this? If so, what am I doing wrong? If not, what would you recommend?
You can add condition to dataProvider query to load specific user records only. For other actions with single model you can add condition to findModel function for current user.
It can be done by RBAC as well with customization but depends on use case, for multi level access we need RBAC but for 1 or 2 level access we can handle it by query.