Every now and then you may need a delegated admin to manage it and Carbonio CE doesn’t provide an easy way to do it using the Admin UI.
But let’s give them credit: you can easily promote any account to Global Admin just editing it and clicking on a button. Well done Zextras!
On this tutorial I’ll lie to discuss a bit about how this permissions are given and taken, because once you don’t want a Global admin things may get a bit complicated. The only way to do so is dealing with each permission one by one.
Making a Global Admin
Let’s start easy and setup a Global Admin. This is easy because Carbonio have an internal preset. So, to make any account a Global Admin, just run this command:
zmprov ma [email protected] zimbraIsAdminAccount TRUEThat’s gonna give Global Admin powers to that account. Easy right?
Making a Delegated Admin
Create a delegated admin is a lo more work because you have to explicitly set what are the limits of that delegation. In other words: what can that delegated admin account do?
But first things first: let’s start making it a delegated admin
zmprov ma [email protected] zimbraIsDelegatedAdminAccount TRUENow Carbonio knows that account is special. It has permission to access the Admin UI. But that’s it. It can login but it can’t do anything there.
Adding basics permissions
A delegated admin account must be giver explicit permission to see areas on the Admin UI. That’s done using the zimbraAdminConsoleUIComponents option with the area you want it to see.
A basic setup would be like this:
zmprov ma [email protected] \
zimbraAdminConsoleUIComponents domainListView \
zimbraAdminConsoleUIComponents accountListView \
zimbraAdminConsoleUIComponents DLListViewAs you can see above, this just gave it permission to see Domains, Accounts and Distributions lists areas on Admin UI
Below you have the full list of possible areas you can set to it:
Account List View : accountListView
Distribution List View : DLListView
Alias List View : aliasListView
Resource List View : resourceListView
Class of Service LIst View : COSListView
Domain List View : domainListView
Server List View : serverListView
Zimlet List View : zimletListView
Admin Zimlet List View : adminZimletListView
Global Settings View : globalConfigView
Global Server Status View : globalServerStatusView
Help Search View : helpSearch
Saved Searches View : saveSearch
Mail Queue View : mailQueue
Backups View : backupsView
Certificates View : certsView
Software Updates : softwareUpdatesView
Account Migration : bulkProvisionTasksView
Per Server Statistics View : perServerStatisticsView
Global ACL View : globalPermissionView
Right List View : rightListViewGranting Domain rights
If you are following this and loging in Admin UI with that account you already realizes that nothing really changed so far. The reason is that despite the fact that account have permission to se some areas of the Admin UI we didn’t grat it any right over no domain yet.
This is where the real fun begins. Add and remove rights is what is gonna really makes the difference.
Let’s start giving [email protected] some useful rights?
zmprov grantRight domain example.com usr [email protected] +createAccount
zmprov grantRight domain example.com usr [email protected] +createAlias
zmprov grantRight domain example.com usr [email protected] +createCalendarResource
zmprov grantRight domain example.com usr [email protected] +createDistributionList
zmprov grantRight domain example.com usr [email protected] +deleteAlias
zmprov grantRight domain example.com usr [email protected] +listDomain
zmprov grantRight domain example.com usr [email protected] +domainAdminRights
zmprov grantRight domain example.com usr [email protected] +getDomainQuotaUsageAt the end of each command above you can see what right was granted to that user on that domain.
At this point you will be able to actually see the domain, it’s accounts, and distribution lists.
There are some extra permissions that you might like to add to a regular Delegated Admin. Take a look:
zmprov grantRight domain example.com usr [email protected] set.account.zimbraAccountStatus
zmprov grantRight domain example.com usr [email protected] set.account.sn
zmprov grantRight domain example.com usr [email protected] set.account.displayName
zmprov grantRight domain example.com usr [email protected] set.account.zimbraPasswordMustChangeIf you like to see those all permissions granted to this domains run the command below:
zmprov gg -t domain example.comGranting Account rights
Be able to see all those views and don’t be able to make setups makes no sense. In order to modify and setup accounts you may have to grant new permissions in a very similar way it was done for the domain, but for the account. Like follows:
zmprov grantRight account [email protected] usr [email protected] +getAccountInfo
zmprov grantRight account [email protected] usr [email protected] +getAccountMembership
zmprov grantRight account [email protected] usr [email protected] +getMailboxInfo
zmprov grantRight account [email protected] usr [email protected] +listAccount
zmprov grantRight account [email protected] usr [email protected] +removeAccountAlias
zmprov grantRight account [email protected] usr [email protected] +renameAccount
zmprov grantRight account [email protected] usr [email protected] +setAccountPassword
zmprov grantRight account [email protected] usr [email protected] +configureQuota
zmprov grantRight account [email protected] usr [email protected] +viewAccountAdminUIRight now you have a pretty powerful Delegated Admin for example.com domain. Maybe too much?
Revoking some rights
Sometimes you don’t need to just don’t want a powerful Delegated Admin, so some permissions need to be revoked. Below I list some restrictions I find important to prevent some undesirable actions.
- deleteAccount and createAccount
Restrict the hability of removing and creating accounts may be an interesting limit
zmprov grantRight account [email protected] usr [email protected] -deleteAccount
zmprov grantRight domain example.com usr [email protected] -deleteAccount
zmprov grantRight account [email protected] usr [email protected] -createAccount
zmprov grantRight domain example.com usr [email protected] -createAccount- adminLoginAs
By default all Delegated Admins can access users mailboxes through Admin UI. You might not like that, so:
zmprov grantRight domain example.com usr [email protected] -adminLoginAs- zimbraDomainMaxAccounts
That’s an explicit limit to how many account that domain can have. So your Delegate Admin can create accounts but that domain can’t have more than 40 accounts.
zmprov md example.com zimbraDomainMaxAccounts 40- zimbraDomainAdminMaxMailQuota
Carbonio allows you to define a total quota for a domain. Meaning that your Delegated Admin can allocate quotas for the domain accounts til it reaches the limit. That’s pretty handfull when you have self-managed domain situation. It’s value is in Bytes.
zmprov md example.com zimbraDomainAdminMaxMailQuota 107374182400That Delegated Admin will have 100Gb to play with on example.com =)
- configureQuota
Some times it’s the very opposite: you don’t want that Delegated Admion messing around with quotas at all.
zmprov grantRight account [email protected] usr [email protected] -configureQuota
zmprov grantRight domain example.com usr [email protected] -configureQuotaScripting it!
There are so many scripts available and non of it will fit perfectly your needs because each one is done to fit some specific need for that Delegated Admin. So I ll share the one I use, but you may have to fix changing permissions to fit your needs.
#!/bin/bash
file_setup="/tmp/admin_setup"
who_z_user=`whoami`
if [ "$who_z_user" != "zextras" ] ; then
echo "Must run it as zextras user!"
exit 1
fi
if [ "$1" = "" ] ; then
echo "Missing domain!"
exit 1
fi
if [ "$2" = "" ] ; then
echo "Missing delegated domain e-mail!"
exit 1
else
test=`echo $2 | grep @ `
if [ "$test" = "" ] ; then
echo "This doesn't looks like an e-mail!"
exit 1
fi
fi
echo "ma $2 zimbraIsDelegatedAdminAccount TRUE
ma $2 zimbraAdminConsoleUIComponents cartBlancheUI zimbraAdminConsoleUIComponents domainListView zimbraAdminConsoleUIComponents accountListView zimbraAdminConsoleUIComponents DLListView zimbraAdminConsoleUIComponents aliasListView
ma $2 zimbraDomainAdminMaxMailQuota 0
md $1 zimbraDomainMaxAccounts 1
grantRight domain $1 usr $2 -createAccount
grantRight domain $1 usr $2 +createAlias
grantRight domain $1 usr $2 +createCalendarResource
grantRight domain $1 usr $2 +deleteAlias
grantRight domain $1 usr $2 +listDomain
grantRight domain $1 usr $2 +domainAdminRights
grantRight domain $1 usr $2 +domainAdminConsoleRights
grantRight domain $1 usr $2 +adminConsoleAliasRights
grantRight domain $1 usr $2 -configureQuota
grantRight domain $1 usr $2 set.account.zimbraAccountStatus
grantRight domain $1 usr $2 set.account.sn
grantRight domain $1 usr $2 set.account.displayName
grantRight domain $1 usr $2 set.account.zimbraPasswordMustChange
grantRight domain $1 usr $2 +getDomainQuotaUsage
grantRight domain $1 usr $2 -deleteAccount
grantRight domain $1 usr $2 +createDistributionList
grantRight domain $1 usr $2 +addDistributionListAlias
grantRight domain $1 usr $2 +addDistributionListMember
grantRight domain $1 usr $2 +deleteDistributionList
grantRight domain $1 usr $2 +domainAdminDistributionListRights
grantRight domain $1 usr $2 +getDistributionList
grantRight domain $1 usr $2 +getDistributionListMembership
grantRight domain $1 usr $2 +listDistributionList
grantRight domain $1 usr $2 +modifyDistributionList
grantRight domain $1 usr $2 +removeDistributionListAlias
grantRight domain $1 usr $2 +removeDistributionListMember
grantRight domain $1 usr $2 +renameDistributionList
grantRight account $2 usr $2 -deleteAccount
grantRight account $2 usr $2 +getAccountInfo
grantRight account $2 usr $2 +getAccountMembership
grantRight account $2 usr $2 +getMailboxInfo
grantRight account $2 usr $2 +listAccount
grantRight account $2 usr $2 +removeAccountAlias
grantRight account $2 usr $2 +renameAccount
grantRight account $2 usr $2 +setAccountPassword
grantRight account $2 usr $2 +viewAccountAdminUI
grantRight account $2 usr $2 -configureQuota" >$file_setup
cat $file_setup | zmprovYou can also download it clicking here
Enjoy!
