Now and then, you may need a delegated admin to manage it, and Carbonio CE doesn’t provide an easy way to do it using the Admin UI.
But let’s give them credit: you can easily promote any account to Global Admin just by editing it and clicking on a button. Well done, Zextras!
In this tutorial, I’ll lie to discuss a bit about how these permissions are given and taken, because once you don’t want a Global admin, things may get a bit complicated. The only way to do so is to deal with each permission one by one.
Making a Global Admin
Let’s start easy and set up a Global Admin. This is easy because Carbonio has an internal preset. So, to make any account a Global Admin, just run this command:
zmprov ma [email protected] zimbraIsAdminAccount TRUEThat’s gonna give Global Admin powers to that account. Easy right?
Making a Delegated Admin
Creating a delegated admin is a lot more work because you have to explicitly set what are the limits of that delegation. In other words, what can that delegated admin account do?
But first things first: let’s start making it a delegated admin
zmprov ma [email protected] zimbraIsDelegatedAdminAccount TRUENow Carbonio knows that the account is special. It has permission to access the Admin UI. But that’s it. It can log in, but it can’t do anything there.
Adding basic permissions
A delegated admin account must be given explicit permission to see areas on the Admin UI. That’s done using the zimbraAdminConsoleUIComponents option with the area you want it to see.
A basic setup would be like this:
zmprov ma [email protected] \
zimbraAdminConsoleUIComponents domainListView \
zimbraAdminConsoleUIComponents accountListView \
zimbraAdminConsoleUIComponents DLListViewAs you can see above, this just gave it permission to see the Domains, Accounts, and Distributions lists areas on the Admin UI
Below you have the full list of possible areas you can set it to:
Account List View : accountListView
Distribution List View : DLListView
Alias List View : aliasListView
Resource List View : resourceListView
Class of Service LIst View : COSListView
Domain List View : domainListView
Server List View : serverListView
Zimlet List View : zimletListView
Admin Zimlet List View : adminZimletListView
Global Settings View : globalConfigView
Global Server Status View : globalServerStatusView
Help Search View : helpSearch
Saved Searches View : saveSearch
Mail Queue View : mailQueue
Backups View : backupsView
Certificates View : certsView
Software Updates : softwareUpdatesView
Account Migration : bulkProvisionTasksView
Per Server Statistics View : perServerStatisticsView
Global ACL View : globalPermissionView
Right List View : rightListViewGranting Domain rights
If you are following this and logging in Admin UI with that account, you already realize that nothing really changed so far. The reason is that despite the fact that the account has permission to se some areas of the Admin UI we didn’t grant it any right over any domain yet.
This is where the real fun begins. Adding and removing rights is what is gonna make the difference.
Let’s start giving [email protected] some useful rights?
zmprov grantRight domain example.com usr [email protected] +createAccount
zmprov grantRight domain example.com usr [email protected] +createAlias
zmprov grantRight domain example.com usr [email protected] +createCalendarResource
zmprov grantRight domain example.com usr [email protected] +createDistributionList
zmprov grantRight domain example.com usr [email protected] +deleteAlias
zmprov grantRight domain example.com usr [email protected] +listDomain
zmprov grantRight domain example.com usr [email protected] +domainAdminRights
zmprov grantRight domain example.com usr [email protected] +getDomainQuotaUsageAt the end of each command above, you can see what right was granted to that user on that domain.
At this point, you will be able to actually see the domain, its accounts, and distribution lists.
There are some extra permissions that you might like to add to a regular Delegated Admin. Take a look:
zmprov grantRight domain example.com usr [email protected] set.account.zimbraAccountStatus
zmprov grantRight domain example.com usr [email protected] set.account.sn
zmprov grantRight domain example.com usr [email protected] set.account.displayName
zmprov grantRight domain example.com usr [email protected] set.account.zimbraPasswordMustChangeIf you like to see all permissions granted to these domains, run the command below:
zmprov gg -t domain example.comGranting Account rights
Being able to see all those views and not being able to make setups makes no sense. In order to modify and set up accounts, you may have to grant new permissions in a very similar way it was done for the domain, but for the account. Like follows:
zmprov grantRight account [email protected] usr [email protected] +getAccountInfo
zmprov grantRight account [email protected] usr [email protected] +getAccountMembership
zmprov grantRight account [email protected] usr [email protected] +getMailboxInfo
zmprov grantRight account [email protected] usr [email protected] +listAccount
zmprov grantRight account [email protected] usr [email protected] +removeAccountAlias
zmprov grantRight account [email protected] usr [email protected] +renameAccount
zmprov grantRight account [email protected] usr [email protected] +setAccountPassword
zmprov grantRight account [email protected] usr [email protected] +configureQuota
zmprov grantRight account [email protected] usr [email protected] +viewAccountAdminUIRight now, you have a pretty powerful Delegated Admin for example.com domain. Maybe too much?
Revoking some rights
Sometimes you don’t need to just don’t want a powerful Delegated Admin, so some permissions need to be revoked. Below, I list some restrictions I find important to prevent some undesirable actions.
- deleteAccount and createAccount
Restricting the ability to remove and create accounts may be an interesting limit
zmprov grantRight account [email protected] usr [email protected] -deleteAccount
zmprov grantRight domain example.com usr [email protected] -deleteAccount
zmprov grantRight account [email protected] usr [email protected] -createAccount
zmprov grantRight domain example.com usr [email protected] -createAccount- adminLoginAs
By default, all Delegated Admins can access users’ mailboxes through Admin UI. You might not like that, so:
zmprov grantRight domain example.com usr [email protected] -adminLoginAs- zimbraDomainMaxAccounts
That’s an explicit limit to how many account that domain can have. So your Delegate Admin can create accounts, but that domain can’t have more than 40 accounts.
zmprov md example.com zimbraDomainMaxAccounts 40- zimbraDomainAdminMaxMailQuota
Carbonio allows you to define a total quota for a domain. Meaning that your Delegated Admin can allocate quotas for the domain accounts til it reaches that limit per account. That’s pretty handful when you have a self-managed domain situation. Its value is in Bytes.
zmprov ma [email protected] zimbraDomainAdminMaxMailQuota 107374182400That Delegated Admin will have 100Gb to play with for each account of example.com =)
- configureQuota
Sometimes it’s the very opposite: you don’t want that Delegated Admin messing around with quotas at all.
zmprov grantRight account [email protected] usr [email protected] -configureQuota
zmprov grantRight domain example.com usr [email protected] -configureQuotaScripting it!
There are many scripts available, but none of them will fit perfectly your needs because each one is designed to address a specific need for a Delegated Admin. So I ll share the one I use, but you may have to fix changing permissions to fit your needs.
#!/bin/bash
file_setup="/tmp/admin_setup"
who_z_user=`whoami`
if [ "$who_z_user" != "zextras" ] ; then
echo "Must run it as zextras user!"
exit 1
fi
if [ "$1" = "" ] ; then
echo "Missing domain!"
exit 1
fi
if [ "$2" = "" ] ; then
echo "Missing delegated domain e-mail!"
exit 1
else
test=`echo $2 | grep @ `
if [ "$test" = "" ] ; then
echo "This doesn't looks like an e-mail!"
exit 1
fi
fi
echo "ma $2 zimbraIsDelegatedAdminAccount TRUE
ma $2 zimbraAdminConsoleUIComponents cartBlancheUI zimbraAdminConsoleUIComponents domainListView zimbraAdminConsoleUIComponents accountListView zimbraAdminConsoleUIComponents DLListView zimbraAdminConsoleUIComponents aliasListView
ma $2 zimbraDomainAdminMaxMailQuota 0
md $1 zimbraDomainMaxAccounts 1
grantRight domain $1 usr $2 -createAccount
grantRight domain $1 usr $2 +createAlias
grantRight domain $1 usr $2 +createCalendarResource
grantRight domain $1 usr $2 +deleteAlias
grantRight domain $1 usr $2 +listDomain
grantRight domain $1 usr $2 +domainAdminRights
grantRight domain $1 usr $2 +domainAdminConsoleRights
grantRight domain $1 usr $2 +adminConsoleAliasRights
grantRight domain $1 usr $2 -configureQuota
grantRight domain $1 usr $2 set.account.zimbraAccountStatus
grantRight domain $1 usr $2 set.account.sn
grantRight domain $1 usr $2 set.account.displayName
grantRight domain $1 usr $2 set.account.zimbraPasswordMustChange
grantRight domain $1 usr $2 +getDomainQuotaUsage
grantRight domain $1 usr $2 -deleteAccount
grantRight domain $1 usr $2 +createDistributionList
grantRight domain $1 usr $2 +addDistributionListAlias
grantRight domain $1 usr $2 +addDistributionListMember
grantRight domain $1 usr $2 +deleteDistributionList
grantRight domain $1 usr $2 +domainAdminDistributionListRights
grantRight domain $1 usr $2 +getDistributionList
grantRight domain $1 usr $2 +getDistributionListMembership
grantRight domain $1 usr $2 +listDistributionList
grantRight domain $1 usr $2 +modifyDistributionList
grantRight domain $1 usr $2 +removeDistributionListAlias
grantRight domain $1 usr $2 +removeDistributionListMember
grantRight domain $1 usr $2 +renameDistributionList
grantRight account $2 usr $2 -deleteAccount
grantRight account $2 usr $2 +getAccountInfo
grantRight account $2 usr $2 +getAccountMembership
grantRight account $2 usr $2 +getMailboxInfo
grantRight account $2 usr $2 +listAccount
grantRight account $2 usr $2 +removeAccountAlias
grantRight account $2 usr $2 +renameAccount
grantRight account $2 usr $2 +setAccountPassword
grantRight account $2 usr $2 +viewAccountAdminUI
grantRight account $2 usr $2 -configureQuota" >$file_setup
cat $file_setup | zmprovYou can also download it by clicking here
Enjoy!
Published: 27/10/2023 | Updated: 31/07/2025
thank you