Q: What are these rtlocal group names I see in RT?
Answer
We are using the group naming convention rtlocal-* for groups that exist in RT locally, but do not exist in Moira or LDAP (and therefore are not synchronized to RT from LDAP). There are very few of these groups.
Why they exist
The common case is needing to grant privileges to RT "users" who are not actually users in LDAP. We still prefer to do this via groups, but since these "users" cannot be synchronized from LDAP they require a local RT group. An example of when this is necessary is when a queue wants to use an email alias or mailing list as a virtual user in RT. For example, you might want to set a mailing list as an owner on an RT ticket, in which case RT needs to treat this email address as a user, not a group.
Implementation
This is only a convention. Technically there's nothing preventing someone from creating an rtlocal- group in Moira, in which case its membership would be synchronized with RT. However, this is unlikely. The intended use of the rtlocal- naming convention is to identify groups local to RT without matching groups in Moira.
Why not oldrt?
We intend to phase out oldrt-* groups from RT over time. These are legacy groups necessary to accommodate the upgrade to RT 4 and the introduction of LDAP integration. However, some local to RT groups will be necessary in the steady state. But we want to differentiate these from the migration legacy groups.