The issue of permissions raises the question of how private are these tickets? The field permission module handles the EDIT and VIEW permissions on the fields within the nodes, but not of the node in general. Granted, it's not very interesting to view a node without permissions to view the fields within the node. Nevertheless, I wanted to set things up so that users could not even see a node title (a field that I could not control permissions on).
So here is how I handle keeping nodes private. Again, Rules to the rescue. . . .
If it's true that when the content is being viewed that the node author is NOT the current user, and if it's also true that the current user is NOT a user with the role of admin, then the would-be viewer of the node is redirected to the front page.
I ask you, is there any problem that can't be solved with RULES?