The global administrator can create different delegated administrator roles.
Delegated administrator roles can be as simple as having the rights to manage one or more distribution lists or reset forgotten passwords for one or more users, to having domain administration rights on one or more domains.
Two frequently used delegated administrator roles, domain administrator and distribution list administrator, are already defined. You can add administrators to these pre-defined roles with no other configuration necessary.
Delegated administration provides a way to define access control limits on targets and grant rights to administrators to perform tasks on the target.
A target is a {product-name} object on which rights can be granted. Each target is associated with a target type that identifies the type of access control entries you can grant on the target.
When selecting a target type for a target consider the following:
-
Target. Which specific target are you granting rights? For example, if the target type you select is “domain”, which domain do you mean? You specify a specific domain’s name (Target Name = example.com). Access Control Entries (ACE) are granted on that target. An ACE is stored in an LDAP attribute on the target entry.
-
Is the right you want to grant applicable to the selected target type? A right can only be applied on the relevant target type. For example, creating an account can only apply to a domain target type, and the setting passwords can only apply to accounts and calendar resources target types. If a right is granted on a target that is not applicable to the target, the grant is ignored.
-
When defining rights, you need to consider the scope of targets in which granted rights are effective. For example, the right to set the password is applicable only to accounts and calendar resources, but if this right is included in the domain targets list of rights, it is effective for all accounts or calendar resource in the domain.
Table 1. Targets for rights Target Type Description of Target Scope Account
An account entry (a specific user)
Calendar Resource
A calendar resource entry
COS
COS entry
Distribution List
Includes the distribution list and all distribution lists under this distribution list.
If the right is applicable to accounts and calendar resources, all accounts and calendar resources that are direct or indirect members of this distribution list.
Domain
Applicable to a specific domain, not to any sub- domains.
Sub-domains must be explicitly marked as targets.
When domain is the target, the rights are granted for all accounts, calendar resources and distribution lists in the domain.
Config
Grants specific to global config
Global ACL
Administrator rights for all entries in a target type. For example, you could add an ACE to the Global Access Control List (ACL) that grants the right to create accounts on domains.
Delegated administrator accounts that are granted this right can create accounts in all domains in the system.
Server
Server entry
Zimlet
Zimlet entry
Rights are the functions that a delegated administrator can or cannot perform on a named target. Right can be either system-defined or attribute.
Types of system defined rights include:
-
Preset rights (preset). For example, createAccount creates an account; renameDomain, renames the domain.
Preset rights are associated with a fixed target type. For example, createAccount is a right only on a domain; renameAccount is a right on an account; see Server is a right on a server
No other rights are required to administer that action on the target.
Preset rights could involve accessing multiple targets. The grantee needs to have adequate rights on all pertinent targets. For example, to create an alias for an account, the grantee must have rights to add an alias to an account and to create an alias on a domain.
Granting rights at the attribute level allow a delegated administrator/ administrator group to modify or view (or not modify or view) a specific attribute on a target.
Types of attributes rights include:
-
Attribute (
setAttrs) rights allow the domain administrator to modify and view an attribute value. For example, themodifyAccountright allows the domain administrator to modify all attributes of the account. -
Get attribute rights (
getAttrs) let the domain administrator view an attribute value. For example, the getAccount right shows all the attributes for a user’s account.
The specific attribute being granted is configured on the target and the type of permission, read (get) or write (set), is specified.
Attribute rights can be granted in any combination of attributes to grant positive or negative rights. This lets you negate some attributes from a grant.
Combo rights can be assigned to any target type and can include preset rights and attribute rights.You can use combo right to grant multiple attribute rights quickly on targets.
Rights can be either positive or negative. Negative rights are rights specifically denied to a grantee.
-
When a negative right is granted to an admin group, all administrators in the group are denied that right for the target and sub-targets on which the right is granted.
-
When a negative right is granted to an administrator who may or may not be in an admin group, the specific administrator is denied that right for the target and sub-targets on which the right is granted.
An admin group is granted domain administrator rights, including the right to create accounts on Domain1. AdminA is in this admin group, but you want AdminA to have all domain administrator rights, except the right to create accounts. You would grant a negative createAccount right to AdminA on the target Domain1.
For grants on the same level, negative rights always take precedence. For example, AdminGroup1 is granted a positive right to view accounts in a domain; AdminGroup2 is granted a negative right to view accounts in the same domain. AdminA is a member in both admin groups. AdminA cannot view any account in this domain because the negative right takes precedence.
For grants on different levels, the most specific grant takes precedence. For example, AdminA is granted the negative right to view accounts in GroupDistributionList1, which User1 is a member. AdminA is also granted the positive right to view account directly on User1’s account. In this case, AdminA can view User1’s account as the grant on the account target is more specific than the grant on the distribution list.
System rights are listed and described in the Rights folder in the Administration Console Overview pane. You can use the Rights folder to help you define which system-defined rights to grant to delegated administrators. This folder displays the name of the right, the target types associated with that right, the right type and a brief description.
When you select a right on the page and click on it, another page displays more information:
-
For combo rights, a list of the rights associated with the combo right are listed.
-
For the other system rights, a list of attributes associated with the right are listed
Viewing Combo Rights
You can use zmprov commands to view combo rights.
-
Direct sub rights of a combo right
zmprov gr adminConsoleDLRights
-
Second level sub-rights of the combo
zmprov gr adminConsoleDLRights -e
Viewing System Defined Rights Lists
You can use zmprov commands to view system defined rights for a specific
topic:
zmprov Commands
| To View This | Use This zmprov Command |
|---|---|
Account |
zmprov gar -t account |
Calendar Resources |
zmprov gar -t calresource |
COS |
zmprov gar -t cos |
zmprov gar -t dl |
|
Domain |
zmprov gar -t domain |
Global Config [2]
2. All rights for accounts and calendar resources can also be granted on domain targets. All rights for distribution list can also be granted on domain targets. When rights are granted on a domain, the ACEs apply the right to all direct or indirect account calendar resources, and members of the distribution list in the domain.
|
zmprov gar -t config |
Global Grant [3]
3. All rights for all other targets can also be granted on the global targets. When any rights are granted on a global grant entry, the ACEs apply the right to all entries on the system. For example, if you grant a createAccount (which is a domain right) to AdminA on the global grant entry, AdminA can create accounts in all domains on the system.
|
zmprov gar -t global |
Server |
zmprov gar -t server |
Zimlets |
zmprov gar -t zimlet |
Before you create delegated administrators and grant rights, define the role and which rights to assign to the targets the administrator will manage.
For more efficient management of delegated administrators, create administrator groups and add individual administrator accounts to the group. An administrator group allows you to create role-based access control. Administrators with the same or almost the same responsibilities can be grouped into an admin group.
Delegated administration rights can be set up in one of the following methods:
-
Create an administrator or an administrator group and grant rights to the account using the Administrator Wizard.
-
Configure grants on existing administrator accounts. Add new rights or modify rights to an existing delegated administrator or administrator group account.
-
Add, modify and delete rights directly in a target’s Access Control List page.
Administrator and group administrator accounts are created in the Administration Console.
Use the administration wizard to
-
Create the create either an Admin Group or an Admin Account.
-
Admin Groups are distribution lists (DL) that have Admin Groupenabled, which flags it as a delegated administrator DL. After the admin group administrator is created and configured with rights and admin views, you add administrator user accounts to the admin group.
-
Admin Account is a user account that has Administrator enabled onthe account.
-
-
Configure the admin views for the account. You select the views from the Directly Assigned Admin views list. An admin view represent the items the delegated administrator sees when logged on to the Administration Console.
A directly assigned admin view is the view set on the admin account. An inherited admin view is the view set on the admin group the account belongs to.
-
Configure the Grants. The Grants dialog displays a list the grants requiredto display the items you selected in the Directly Assigned Views column. You can accept these rights and add additional rights, skip this page to not configure these rights, or click Finish to accept these rights and quit the wizard.
You can manage the rights granted to an administrator or an administrator group through the Configure Grants link on the accounts toolbar. When you click Configure Grant on the Manage Accounts Addresses toolbar, the Content pane shows a list of direct and inherited grants. You can grant rights, modify rights or delete rights on existing administrator accounts.
When you want to add a specific grantee or specific rights on a target you can edit the target directly. Each target has an ACL page which lists the granted ACLs. You can add, edit or delete the target’s grants. The administration account (grantee) is updated to reflect the change.
Global administrators can revoke any rights granted to an administrator.
Open the administrator account and click Configure Grants.
-
Select the right to revoke and click Delete.
-
When the dialog asks if are sure, click Yes.
Delegated administrators can revoke rights if the right was created with the Can Grant the right to other admins enabled.
The View Rights link from an admin account or admin group account toolbar displays the granted rights, readable attributes and modifiable attributes associated with a specific target. Click on the tabs to view rights for different targets.
The following preconfigured administrator groups are created automatically. You can assign administrator accounts to these groups.
The zimbradomainadmins delegated admin group grants all the rights
necessary to support {product-name} domain administration for
accounts, aliases, distribution lists and resources.
Administrators who are part of the qzimbradomainadmins` group can create and manage accounts including setting the account quota, aliases, distribution lists, and resources accounts in their domain.
When domain administrators log onto the Administration Console, only the functions they are authorized to manage are displayed on the console’s Navigation pane.
For domain administrators, all tasks are performed from the Administration Console. To facilitate easy log in, when a delegated administrator account is created, their ZWC account can have a link to the Administration Console.
The link is created from the zmprov CLI
zmprov md <server.domainexample.com> zimbraWebClientAdminReference <https:// server.domainexample.com:7071/>The zimbradladmin delegated admin group grants all the rights necessary
to log on to the Administration Console and manage distribution lists.
Administrators who are part of this group can
-
View the account list
-
Create new distribution lists and delete distribution lists
-
Add, edit and remove members in a distribution list
To have one domain administrator manage more than one domain, you assign the rights to manage individual domains to the administrator account or administrator group.
For example, to set up [email protected] to manage domainexample1 and domainexample2.com. Create a new administrator account on one of the domains to be managed.
-
Create the administrator account on one of the domains to be managed (domainexample1.com)
-
Select the views that domain administrators need to manage a domain. When the views are selected, the rights associated with these views automatically display on the Configure the Grants dialog.
-
Configure the grants for this domain if they are different from the grants associated with the views you select.
-
To add another domain to be managed (domainexample2.com).
-
On the Configure Grants page, click Add
-
Select the target type as domain
-
Enter the target’s domain name (domainexample2.com)
-
For Right Type, select System Defined Right
-
For Right Name type, adminConsoleAccountRights. Is Positive Right should be selected.
-
Click Add and More
-
The Add ACE page displays again and the Right Name field is empty. Type, adminConsoleDLRights and click Add and More.
-
Continue to add the following right names:
-
adminConsoleAliasRights
-
adminConsoleResourceRights
-
adminConsoleSavedSearchRights
-
adminConsoleDomainRights
-
-
After the last right, click Add and Finish. The Configure the Grants dialog displays these rights associated with the target domain. If you are adding another domain to manage, click Add and More. Repeat Step 4. If not, click Finish.
-
To assign a user to manage a distribution list, you create a distribution list and enable Admin Group, select the view, grant the distribution list rights, add the user to the list and make that user an administrator.
-
Create a new distribution list:
-
Check Admin Group
-
Add the user who will be the administrator as a member of the DL.
-
Go to the Admin Views page and check Distribution List View so theadmin can view the distribution list.
-
Click Save.
-
-
In the Configure Grants page, add the following rights.
Table 3. Rights Right Name Target Type Target Right Type The following right let the administrator manage distribution lists.
listdistributionlistdl
DL email address
SD Right
adddistributionlist aliasdl
DL email address
SD Right
adddistributionlist memberdl
DL email address
SD Right
modifyDistributionlistdl
DL email address
SD Right
getdistributionlist membershipdl
DL email address
SD Right
RemoveDistributionlistmemberdl
DL email address
SD Right
This domain right displays user account list that the administrator can select from to add to a distribution list.
listAccountdomain
DL email address
SD Right
To create delegated administrators who only change passwords, you create the admin or admin group, select the views and grant the set Account Password combo right.
-
Select the following views
-
Account List view to be able to select accounts to change passwords
-
Alias List view to be able to find users who use an alias instead of account name.
-
-
The Configure the Grants page displays recommended grants for the views you have chosen. For Change Password rights, do not configure these grants. Select Skip. Click Add to add the following right:
Right Name Target Type Target Right Type setAccountPassworddomain
domain address
SD Right
View Mail access right can be granted on accounts, domains, and distribution lists.
| Right Name | Target Type | Target | Right Type |
|---|---|---|---|
|
Either: account, domain, dl |
account, domain, or distribution list address |
To prevent administrators from viewing an account with a domain or distribution list, assign the Is Negative Right to the account.
You can expand the domain administrator role to be able to view and change the class of service (COS) assigned to a user. To add the rights to manage the COS for a domain, add the following rights to the domain administrator account or domain administrator admin group.
Add the System Defined Rights to each COS in the domain.
| Right Name | Target Type | Target | Right Type |
|---|---|---|---|
|
cos |
COS name |
SD Right |
|
cos |
COS name |
SD Right |
|
cos |
COS name |
SD Right |
This domain right displays the COS information in the user account’s General Information page. |
|||
|
domain |
domain address |
Attribute Right Verb: Write AR Target: account |
This role creates a delegated administrator role that can run the Search Mail tool to search mail archives or live mail for accounts. This also allows the administrator to create, abort, delete, purge or get status of a cross mailbox search request.
|
Note
|
The Archiving and Discovery feature must be installed for this feature to work. |
| Right Name | Target Type | Target | Right Type |
|---|---|---|---|
|
(combo) |
server name where cross mailbox searches can be run |
SD Right |
For full functionality, this role includes the ability to create new accounts so that the admin can create the target mailbox to receive the search results. If you do not want this role to have the ability to create accounts, grant the following negative right as well.
| Right Name | Target Type | Target | Right Type |
|---|---|---|---|
|
domain |
domain address |
If you want this admin to also view the target mailbox with the results of the cross mailbox search, grant the right to view that mailbox only.
| Right Name | Target Type | Target | Right Type |
|---|---|---|---|
|
account |
cross mailbox search target account name |
This role creates a delegated administrator role that can create, deploy and view Zimlets.
| Right Name | Target Type | Target | Right Type |
|---|---|---|---|
|
server, domain |
server name or domain address |
SD Right |
|
server, domain |
server name or domain address |
SD Right |
This role creates a delegated administrator that can create and manage resources.
| Right Name | Target Type | Target | Right Type |
|---|---|---|---|
|
combo |
server name or domain address |
SD Right |
This role creates a delegated administrator that can access all the searches saved in the Administration Console Navigation pane, Search section.
| Right Name | Target Type | Target | Right Type |
|---|---|---|---|
|
combo |
server name or domain address |
SD Right |
This role creates a delegated administrator that can access the Server Status page. In addition to granting this right, you must also select the Admin View, Global Server Status View.
| Right Name | Target Type | Target | Right Type |
|---|---|---|---|
|
global |
SD Right |
|
Note
|
Accounts that are configured as global administrator accounts cannot be granted ACLs. Global administrator accounts automatically have full rights on {product-name}. If an ACL is added to a global administrator account, it is ignored. If a delegated administrator account is changed to a global administrator account, any ACLs associated with the account are ignored. |