Permalink
c23ef50 Jul 18, 2018
4 contributors

Users who have contributed to this file

@mogsdad @plobbes @jorgedlcruz @jeastman
726 lines (533 sloc) 24.9 KB

Delegated Administration (*)

Note
*Starting with Zimbra 8.8, there are two versions of this feature. Zimbra 8.8 provides Standard and New Generation (NG) versions. Zimbra 8.7 and earlier include the Standard version, which is explained below. To use and enable the NG version of this feature with Zimbra 8.8, refer to the specific NG chapter later in this Guide.

The global administrator can create different delegated administrator roles.

Delegated administrator roles can be as simple as having the rights to manage one or more distribution lists or reset forgotten passwords for one or more users, to having domain administration rights on one or more domains.

Two frequently used delegated administrator roles, domain administrator and distribution list administrator, are already defined. You can add administrators to these predefined roles with no other configuration necessary.

Target Types for Granting Administrative Rights

Delegated administration provides a way to define access control limits on targets and grant rights to administrators to perform tasks on the target.

A target is a {product-name} object on which rights can be granted. Each target is associated with a target type that identifies the type of access control entries you can grant on the target.

When selecting a target type for a target consider the following:

  • Target. Which specific target are you granting rights? For example, if the target type you select is "domain", which domain do you mean? You specify a specific domain’s name (Target Name = example.com). Access Control Entries (ACE) are granted on that target. An ACE is stored in an LDAP attribute on the target entry.

  • Is the right you want to grant applicable to the selected target type? A right can only be applied on the relevant target type. For example, creating an account can only apply to a domain target type, and the setting passwords can only apply to accounts and calendar resources target types. If a right is granted on a target that is not applicable to the target, the grant is ignored.

  • When defining rights, you need to consider the scope of targets in which granted rights are effective. For example, the right to set the password is applicable only to accounts and calendar resources, but if this right is included in the domain targets list of rights, it is effective for all accounts or calendar resource in the domain.

Table 1. Targets for rights
Target Type Description of Target Scope

Account

An account entry (a specific user)

Calendar Resource

A calendar resource entry

COS

COS entry

Distribution List

Includes the distribution list and all distribution lists under this distribution list.

If the right is applicable to accounts and calendar resources, all accounts and calendar resources that are direct or indirect members of this distribution list.

Domain

Applicable to a specific domain, not to any sub-domains.

Sub-domains must be explicitly marked as targets.

When domain is the target, the rights are granted for all accounts, calendar resources and distribution lists in the domain.

Config

Grants specific to global config

Global ACL

Administrator rights for all entries in a target type. For example, you could add an ACE to the Global Access Control List (ACL) that grants the right to create accounts on domains.

Delegated administrator accounts that are granted this right can create accounts in all domains in the system.

Server

Server entry

Zimlet

Zimlet entry

Rights

Rights are the functions that a delegated administrator can or cannot perform on a named target. A right is either system-defined or granted at the attribute level.

System-defined rights

Types of system defined rights include:

  • Preset rights (preset). For example, createAccount creates an account; renameDomain, renames the domain.

    Preset rights are associated with a fixed target type. For example, createAccount is a right only on a domain; renameAccount is a right on an account; getServer is a right on a server

    No other rights are required to administer that action on the target.

    Preset rights could involve accessing multiple targets. The grantee needs to have adequate rights on all pertinent targets. For example, to create an alias for an account, the grantee must have rights to add an alias to an account and to create an alias on a domain.

Attribute Right

Granting rights at the attribute level allow a delegated administrator/ administrator group to modify or view (or not modify or view) a specific attribute on a target.

Types of attributes rights include:

  • Attribute (setAttrs) rights allow the domain administrator to modify and view an attribute value. For example, the modifyAccount right allows the domain administrator to modify all attributes of the account.

  • Get attribute rights (getAttrs) let the domain administrator view an attribute value. For example, the getAccount right shows all the attributes for a user’s account.

The specific attribute being granted is configured on the target and the type of permission, read (get) or write (set), is specified.

Attribute rights can be granted in any combination of attributes to grant positive or negative rights. This lets you negate some attributes from a grant.

Combo Rights

Combo rights can be assigned to any target type and can include preset rights and attribute rights. You can use combo right to grant multiple attribute rights quickly on targets.

Negative Rights

Rights can be either positive or negative. Negative rights are rights specifically denied to a grantee.

  • When a negative right is granted to an admin group, all administrators in the group are denied that right for the target and sub-targets on which the right is granted.

  • When a negative right is granted to an administrator who may or may not be in an admin group, the specific administrator is denied that right for the target and sub-targets on which the right is granted.

An admin group is granted domain administrator rights, including the right to create accounts on Domain1. AdminA is in this admin group, but you want AdminA to have all domain administrator rights, except the right to create accounts. You would grant a negative createAccount right to AdminA on the target Domain1.

For grants on the same level, negative rights always take precedence. For example, AdminGroup1 is granted a positive right to view accounts in a domain; AdminGroup2 is granted a negative right to view accounts in the same domain. AdminA is a member in both admin groups. AdminA cannot view any account in this domain because the negative right takes precedence.

For grants on different levels, the most specific grant takes precedence. For example, AdminA is granted the negative right to view accounts in GroupDistributionList1, which User1 is a member. AdminA is also granted the positive right to view account directly on User1’s account. In this case, AdminA can view User1’s account as the grant on the account target is more specific than the grant on the distribution list.

Using the Rights List

System rights are listed and described in the Rights folder in the Administration Console Overview pane. You can use the Rights folder to help you define which system-defined rights to grant to delegated administrators. This folder displays the name of the right, the target types associated with that right, the right type and a brief description.

When you select a right on the page and click on it, another page displays more information:

  • For combo rights, a list of the rights associated with the combo right are listed.

  • For the other system rights, a list of attributes associated with the right are listed

You can use zmprov commands to view combo rights.

  • Direct sub-rights of a combo right

    zmprov gr adminConsoleDLRights
  • Second level sub-rights of the combo

    zmprov gr adminConsoleDLRights -e

Viewing System Defined Rights Lists

You can use zmprov commands to view system defined rights for a specific topic:

Table 2. Viewing Combo Rights with zmprov
To View This Use This zmprov Command

Account

zmprov gar -t account

Calendar Resources

zmprov gar -t calresource

COS

zmprov gar -t cos

Distribution List [1]


1. All rights for account and calendar resources can also be granted on distribution list targets. When these rights are granted on a distribution list, the ACEs apply the right to all direct or indirect account or calendar resource members of the distribution list.
zmprov gar -t dl

Domain

zmprov gar -t domain

Global Config [2]


2. All rights for accounts and calendar resources can also be granted on domain targets. All rights for distribution list can also be granted on domain targets. When rights are granted on a domain, the ACEs apply the right to all direct or indirect account calendar resources, and members of the distribution list in the domain.
zmprov gar -t config

Global Grant [3]


3. All rights for all other targets can also be granted on the global targets. When any rights are granted on a global grant entry, the ACEs apply the right to all entries on the system. For example, if you grant a createAccount (which is a domain right) to AdminA on the global grant entry, AdminA can create accounts in all domains on the system.
zmprov gar -t global

Server

zmprov gar -t server

Zimlets

zmprov gar -t zimlet

Implementing Delegated Administration

Before you create delegated administrators and grant rights, define the role and which rights to assign to the targets the administrator will manage.

For more efficient management of delegated administrators, create administrator groups and add individual administrator accounts to the group. An administrator group allows you to create role-based access control. Administrators with the same or almost the same responsibilities can be grouped into an admin group.

Delegated administration rights can be set up in one of the following methods:

  • Create an administrator or an administrator group and grant rights to the account using the Administrator Wizard.

  • Configure grants on existing administrator accounts. Add new rights or modify rights to an existing delegated administrator or administrator group account.

  • Add, modify and delete rights directly in a target’s Access Control List page.

Administrator Groups and Administrators

Administrator and group administrator accounts are created in the Administration Console.

Use the administration wizard to

  1. Create the create either an Admin Group or an Admin Account.

    1. Admin Groups are distribution lists (DL) that have Admin Group enabled, which flags it as a delegated administrator DL. After the admin group administrator is created and configured with rights and admin views, you add administrator user accounts to the admin group.

    2. Admin Account is a user account that has Administrator enabled on the account.

  2. Configure the admin views for the account. You select the views from the Directly Assigned Admin views list. An admin view represent the items the delegated administrator sees when logged on to the Administration Console.

    A directly assigned admin view is the view set on the admin account. An inherited admin view is the view set on the admin group the account belongs to.

  3. Configure the Grants. The Grants dialog displays a list the grants requiredto display the items you selected in the Directly Assigned Views column. You can accept these rights and add additional rights, skip this page to not configure these rights, or click Finish to accept these rights and quit the wizard.

Configure Grants on Administrator Accounts or Admin Groups

You can manage the rights granted to an administrator or an administrator group through the Configure Grants link on the accounts toolbar. When you click Configure Grant on the Manage Accounts Addresses toolbar, the Content pane shows a list of direct and inherited grants. You can grant rights, modify rights or delete rights on existing administrator accounts.

Grant ACLs to a Target

When you want to add a specific grantee or specific rights on a target you can edit the target directly. Each target has an ACL page which lists the granted ACLs. You can add, edit or delete the target’s grants. The administration account (grantee) is updated to reflect the change.

Revoking Rights

Global administrators can revoke any rights granted to an administrator.

Admin Console:

Home > Manage > Accounts

Open the desired administrator account and click Configure Grants.

  1. Select the right to revoke and click Delete.

  2. When the dialog asks if are sure, click Yes.

Delegated administrators can revoke rights if the right was created with the Can Grant the right to other admins enabled.

Temporarily Revoke Delegated Admin Rights

To temporarily revoke rights to a delegated administrator account, you can edit the administrator account and remove the check next to the Administrator field. The ACLs are not removed from the account.

View Rights Granted to Administrators

The View Rights link from an admin account or admin group account toolbar displays the granted rights, readable attributes and modifiable attributes associated with a specific target. Click on the tabs to view rights for different targets.

Predefined Delegated Administrator Role

The following preconfigured administrator groups are created automatically. You can assign administrator accounts to these groups.

Domain Administration Group

The zimbradomainadmins delegated admin group grants all the rights necessary to support {product-name} domain administration for accounts, aliases, distribution lists and resources.

Administrators who are part of the zimbradomainadmins group can create and manage accounts including setting the account quota, aliases, distribution lists, and resources accounts in their domain.

When domain administrators log onto the Administration Console, only the functions they are authorized to manage are displayed on the console’s Navigation pane.

For domain administrators, all tasks are performed from the Administration Console. To facilitate easy log in, when a delegated administrator account is created, their ZWC account can have a link to the Administration Console.

The link is created from the zmprov CLI

zmprov md {server.example.com} zimbraWebClientAdminReference {https://server.example.com:7071/}

Distribution List Administration Group

The zimbradladmin delegated admin group grants all the rights necessary to log on to the Administration Console and manage distribution lists.

Administrators who are part of this group can

  • View the account list

  • Create new distribution lists and delete distribution lists

  • Add, edit and remove members in a distribution list

Creating Delegated Administrator Roles

Manage multiple domains

To have one domain administrator manage more than one domain, you assign the rights to manage individual domains to the administrator account or administrator group.

For example, to set up domanadministrator1@example.com to manage domainexample1.com and domainexample2.com. Create a new administrator account on one of the domains to be managed.

  1. Create the administrator account on one of the domains to be managed (domainexample1.com)

  2. Select the views that domain administrators need to manage a domain. When the views are selected, the rights associated with these views automatically display on the Configure the Grants dialog.

  3. Configure the grants for this domain if they are different from the grants associated with the views you select.

  4. To add another domain to be managed (domainexample2.com).

    • On the Configure Grants page, click Add

    • Select the target type as domain

    • Enter the target’s domain name (domainexample2.com)

    • For Right Type, select System Defined Right

    • For Right Name type, adminConsoleAccountRights. Is Positive Right should be selected.

    • Click Add and More

    • The Add ACE page displays again and the Right Name field is empty. Type, adminConsoleDLRights and click Add and More.

    • Continue to add the following right names:

      • adminConsoleAliasRights

      • adminConsoleResourceRights

      • adminConsoleSavedSearchRights

      • adminConsoleDomainRights

    • After the last right, click Add and Finish. The Configure the Grants dialog displays these rights associated with the target domain. If you are adding another domain to manage, click Add and More. Repeat Step 4. If not, click Finish.

Manage Distribution Lists

To assign a user to manage a distribution list, you create a distribution list and enable Admin Group, select the view, grant the distribution list rights, add the user to the list and make that user an administrator.

  1. Create a new distribution list:

    • Check Admin Group

    • Add the user who will be the administrator as a member of the DL.

    • Go to the Admin Views page and check Distribution List View so the admin can view the distribution list.

    • Click Save.

  2. In the Configure Grants page, add the following rights.

    Table 3. Rights
    Right Name Target Type Target Right Type

    The following right let the administrator manage distribution lists.

    listDistributionList

    dl

    DL email address

    SD Right

    addDistributionListAlias

    dl

    DL email address

    SD Right

    addDistributionListMember

    dl

    DL email address

    SD Right

    modifyDistributionList

    dl

    DL email address

    SD Right

    getDistributionListMembership

    dl

    DL email address

    SD Right

    removeDistributionListMember

    dl

    DL email address

    SD Right

    This domain right displays user account list that the administrator can select from to add to a distribution list.

    listAccount

    domain

    DL email address

    SD Right

Change Passwords

To create delegated administrators who only change passwords, you create the admin or admin group, select the views and grant the set Account Password combo right.

  1. Select the following views

    • Account List view to be able to select accounts to change passwords

    • Alias List view to be able to find users who use an alias instead of account name.

  2. The Configure the Grants page displays recommended grants for the views you have chosen. For Change Password rights, do not configure these grants. Select Skip. Click Add to add the following right:

    Right Name Target Type Target Right Type

    setAccountPassword

    domain

    domain name

    SD Right

View Mail Access Right

View Mail access right can be granted on accounts, domains, and distribution lists.

Right Name Target Type Target Right Type

adminLoginAs

account, domain, dl

account, domain, or distribution list address

SD Right [4]


4. To deny the View Mail right on the target, check the box for Is Negative Right (Deny)

To prevent administrators from viewing an account with a domain or distribution list, assign the Is Negative Right to the account.

Manage Class of Service Assigned to Users

You can expand the domain administrator role to be able to view and change the class of service (COS) assigned to a user. To add the rights to manage the COS for a domain, add the following rights to the domain administrator account or domain administrator admin group.

Add the System Defined Rights to each COS in the domain.

Table 4. System Defined Rights for COS
Right Name Target Type Target Right Type

listCos

cos

COS name

SD Right

getCos

cos

COS name

SD Right

assignCos

cos

COS name

SD Right

This domain right displays the COS information in the user account’s General Information page.

zimbraCOSId

domain

domain name

Attribute Right
Verb: Write
AR Target: account

This role creates a delegated administrator role that can run the Search Mail tool to search mail archives or live mail for accounts. This also allows the administrator to create, abort, delete, purge or get status of a cross mailbox search request.

Note
The Archiving and Discovery feature must be installed for this feature to work.
Right Name Target Type Target Right Type

adminConsoleCrossMailboxSearchRights

(combo)

server name where cross mailbox searches can be run

SD Right

For full functionality, this role includes the ability to create new accounts so that the admin can create the target mailbox to receive the search results. If you do not want this role to have the ability to create accounts, grant the following negative right as well.

Right Name Target Type Target Right Type

CreateAccount

domain

domain name

SD Right [5]


5. To deny the Create Account right on the target, check the box for Is Negative Right (Deny)

If you want this admin to also view the target mailbox with the results of the cross mailbox search, grant the right to view that mailbox only.

Right Name Target Type Target Right Type

adminLoginAs

account

cross mailbox search target account name

SD Right [6]


6. To deny the View Mail right on the target, check the box for Is Negative Right (Deny)

Manage Zimlets

This role creates a delegated administrator role that can create, deploy and view Zimlets.

Right Name Target Type Target Right Type

adminConsoleZimletRights

server, domain

server name or domain name

SD Right

adminConsoleAccountsZimletsTabRights

server, domain

server name or domain name

SD Right

Manage Resources

This role creates a delegated administrator that can create and manage resources.

Right Name Target Type Target Right Type

adminConsoleResourceRights

combo

server name or domain name

SD Right

Access to the Saved Searches

This role creates a delegated administrator that can access all the searches saved in the Administration Console Navigation pane, Search section.

Right Name Target Type Target Right Type

adminConsoleSavedSearchRights

combo

server name or domain name

SD Right

Access to the Server Status Pages

This role creates a delegated administrator that can access the Server Status page. In addition to granting this right, you must also select the Admin View, Global Server Status View.

Right Name Target Type Target Right Type

adminConsoleServerStatusRights

global

SD Right

Note
Accounts that are configured as global administrator accounts cannot be granted ACLs. Global administrator accounts automatically have full rights on {product-name}. If an ACL is added to a global administrator account, it is ignored. If a delegated administrator account is changed to a global administrator account, any ACLs associated with the account are ignored.