Ajcody-System-Documentation-For-Rights-Included-In-ZCS-Install

Revision as of 01:12, 24 November 2013 by Ajcody (talk | contribs) (Created page with "{{Article Infobox|{{admin}}|{{ZCS 8.0}}||}} The following system documentation was from a ZCS 8.0.4 system. ==System Documentation For Rights Included in ZCS Install== ===A...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 8.0 Article ZCS 8.0


The following system documentation was from a ZCS 8.0.4 system.

System Documentation For Rights Included in ZCS Install

Actual System Documentation For Rights Included in ZCS Install Home Page

Please see: Ajcody-System-Documentation-For-Rights-Included-In-ZCS-Install


zmprov help right

$ zmprov help right

  checkRight(ckr) {target-type} [{target-id|target-name}] {grantee-id|grantee-name (note:can only check internal user)} {right}

  getAllEffectiveRights(gaer) {grantee-type} {grantee-id|grantee-name} [expandSetAttrs] [expandGetAttrs]

  getAllRights(gar) [-v] [-t {target-type}] [-c ALL|ADMIN|USER]

  getEffectiveRights(ger) {target-type} [{target-id|target-name}] {grantee-id|grantee-name} [expandSetAttrs] [expandGetAttrs]

  getCreateObjectAttrs(gcoa) {target-type} {domain-id|domain-name} {cos-id|cos-name} {grantee-id|grantee-name}

  getGrants(gg) [-t {target-type} [{target-id|target-name}]] [-g {grantee-type} {grantee-id|grantee-name} [{0|1 (whether to include grants granted to groups the grantee belongs)}]]

  getRight(gr) {right} [-e] (whether to expand combo rights recursively)

  getRightsDoc(grd) [java packages]

  grantRight(grr) {target-type} [{target-id|target-name}] {grantee-type} [{grantee-id|grantee-name} [secret]] {[-]right}

  revokeRight(rvr) {target-type} [{target-id|target-name}] {grantee-type} [{grantee-id|grantee-name}] {[-]right}


    {target-type} = account, calresource, cos, dl, group, domain, server, ucservice, xmppcomponent, zimlet, config, global

    {target-id|target-name} is required if target-type is: account calresource cos dl group domain server ucservice xmppcomponent zimlet ,
        otherwise {target-id|target-name} should not be specified

    {grantee-type} = usr, grp, egp, all, dom, gst, key, pub, email

    {grantee-id|grantee-name} is required if grantee-type is: usr grp egp dom gst key email ,
        otherwise {target-id|target-name} should not be specified

    {right}: if right is prefixed with a '-', it means negative right, i.e., specifically deny
             for complete list of rights, do "zmprov [-l] gar"


zmprov grd

[zimbra@zcs804 docs]$ zmprov grd
#
#  Generated by: zmprov grd
#
#  Date: November 23, 2013
# 
#  Pacakges:
#       com.zimbra.cs.service.admin
#       com.zimbra.bp
#       com.zimbra.cert
#       com.zimbra.cs.network
#       com.zimbra.cs.network.license.service
#       com.zimbra.cs.service.backup
#       com.zimbra.cs.service.hsm
#       com.zimbra.xmbxsearch
# 


========================================
Package: com.zimbra.bp
========================================

------------------------------
BulkIMAPDataImportRequest

    Related rights:
        createMigrationTask
        modifyAccount
        adminLoginAs

    Notes:
        Admin has to have modifyAccount and adminLoginAs rights for each
        account that is being migrated.

        com.zimbra.cs.account.accesscontrol.PresetRight@30bb7235 right is
        required in order to access this SOAP handler.


------------------------------
BulkImportAccountsRequest

    Related rights:
        createAccount
        listAccount
        createTopDomain
        createSubDomain

    Notes:
        Only accounts on which the authed admin has listAccount right will be
        provisioned.

        com.zimbra.cs.account.accesscontrol.PresetRight@28370f7b right is
        required in order to automatically create top level domains.

        com.zimbra.cs.account.accesscontrol.PresetRight@47ba8be7 right is
        required in order to automatically create sub-domains.


------------------------------
GenerateBulkProvisionFileFromLDAPRequest

    Related rights:
        accessGAL

    Notes:

------------------------------
GetBulkIMAPImportTaskListRequest

    Related rights:

    Notes:
        TDB


------------------------------
PurgeBulkIMAPImportTasksRequest

    Related rights:

    Notes:
        TDB


========================================
Package: com.zimbra.cert
========================================

------------------------------
GenCSRRequest

    Related rights:
        generateCSR

    Notes:

------------------------------
GetCSRRequest

    Related rights:
        getCSR

    Notes:

------------------------------
GetCertRequest

    Related rights:
        getCertificateInfo

    Notes:

------------------------------
InstallCertRequest

    Related rights:
        installCertificate

    Notes:

------------------------------
UploadDomCertRequest

    Related rights:

    Notes:
        TDB


------------------------------
UploadProxyCARequest

    Related rights:

    Notes:
        TDB


------------------------------
VerifyCertKeyRequest

    Related rights:

    Notes:
        TDB


========================================
Package: com.zimbra.cs.network
========================================

------------------------------
GetSMIMEConfigRequest

    Related rights:

    Notes:
        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyDomain right, which allows
        setting all attributes on domain, or grant the set attrs right just
        for the attributes the admin needs to set while creating an entry.

        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyGlobalConfig right, which allows
        setting all attributes on global config, or grant the set attrs right
        just for the attributes the admin needs to set while creating an
        entry.


------------------------------
ModifySMIMEConfigRequest

    Related rights:

    Notes:
        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyDomain right, which allows
        setting all attributes on domain, or grant the set attrs right just
        for the attributes the admin needs to set while creating an entry.

        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyGlobalConfig right, which allows
        setting all attributes on global config, or grant the set attrs right
        just for the attributes the admin needs to set while creating an
        entry.


------------------------------
SearchMultiMailboxRequest

    Related rights:
        adminLoginAs

    Notes:
        Do not need any right, all admins are allowed.

        Will only search mailboxes on which the authed admin has effective:
        adminLoginAs right.


========================================
Package: com.zimbra.cs.network.license.service
========================================

------------------------------
ActivateLicenseRequest

    Related rights:
        installZCSLicense

    Notes:

------------------------------
GetLicenseRequest

    Related rights:

    Notes:
        Do not need any right, all admins are allowed.


------------------------------
InstallLicenseRequest

    Related rights:
        installZCSLicense

    Notes:

========================================
Package: com.zimbra.cs.service.admin
========================================

------------------------------
AddAccountAliasRequest

    Related rights:
        addCalendarResourceAlias
        addAccountAlias
        createAlias

    Notes:
        Need createAlias right on the domain in which the alias is to be
        created.

        Need addAccountAlias right if adding alias for an account.

        Need addCalendarResourceAlias right if adding alias for a calendar
        resource.


------------------------------
AddAccountLoggerRequest

    Related rights:
        manageAccountLogger

    Notes:

------------------------------
AddDistributionListAliasRequest

    Related rights:
        addDistributionListAlias
        addGroupAlias
        createAlias

    Notes:

------------------------------
AddDistributionListMemberRequest

    Related rights:
        addDistributionListMember
        addGroupMember

    Notes:

------------------------------
AddGalSyncDataSourceRequest

    Related rights:
        createAccount

    Notes:
        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyAccount right, which allows
        setting all attributes on account, or grant the set attrs right just
        for the attributes the admin needs to set while creating an entry.


------------------------------
AdminCreateWaitSetRequest

    Related rights:

    Notes:
        If allAccounts is specified, Only system admins are allowed.

        Otherwise, for each requested account, If the target is an account,
        need the adminLoginAs right; If the target is a calendar resource,
        need the R_adminLoginCalendarResourceAs right.


------------------------------
AdminDestroyWaitSetRequest

    Related rights:

    Notes:
        If the waitset is on all accounts, Only system admins are allowed.

        Otherwise, must be the owner of the specified waitset


------------------------------
AdminWaitSetRequest

    Related rights:

    Notes:
        If the waitset is on all accounts, Only system admins are allowed.

        Otherwise, must be the owner of the specified waitset


------------------------------
AuthRequest

    Related rights:

    Notes:
        Do not need any right, all admins are allowed.


------------------------------
AutoCompleteGalRequest

    Related rights:
        accessGAL

    Notes:

------------------------------
AutoProvAccountRequest

    Related rights:
        autoProvisionAccount

    Notes:

------------------------------
AutoProvTaskControlRequest

    Related rights:

    Notes:
        Only system admins are allowed.


------------------------------
CheckAuthConfigRequest

    Related rights:

    Notes:
        Do not need any right, all admins are allowed.


------------------------------
CheckBlobConsistencyRequest

    Related rights:

    Notes:
        Only system admins are allowed.


------------------------------
CheckDirectoryRequest

    Related rights:
        checkDirectoryOnFileSystem

    Notes:

------------------------------
CheckDomainMXRecordRequest

    Related rights:
        checkDomainMXRecord

    Notes:

------------------------------
CheckExchangeAuthRequest

    Related rights:
        checkExchangeAuthConfig

    Notes:

------------------------------
CheckGalConfigRequest

    Related rights:

    Notes:
        Do not need any right, all admins are allowed.


------------------------------
CheckHealthRequest

    Related rights:
        checkHealth

    Notes:
        The checkHealth is needed only when the client making the SOAP request
        is localhost.


------------------------------
CheckHostnameResolveRequest

    Related rights:

    Notes:
        Do not need any right, all admins are allowed.


------------------------------
CheckPasswordStrengthRequest

    Related rights:
        checkPasswordStrength
        checkCalendarResourcePasswordStrength

    Notes:

------------------------------
CheckRightRequest

    Related rights:
        checkRightUsr

    Notes:

------------------------------
ClearCookieRequest

    Related rights:

    Notes:
        Do not need any right, all admins are allowed.


------------------------------
CompactIndexRequest

    Related rights:
        reindexMailbox
        reindexCalendarResourceMailbox

    Notes:

------------------------------
ComputeAggregateQuotaUsageRequest

    Related rights:

    Notes:
        TDB


------------------------------
ConfigureZimletRequest

    Related rights:

    Notes:
        TDB

        Currently the soap gets a uploaded blob containing metadata. The
        zimlet name is encoded in in the blob and is decoded in ZimletUtil. We
        need a way to know the zimlet name (and cos name if any, currently it
        seems to always only update the default cos) in the SOAP handler in
        order to check right.


------------------------------
CopyCosRequest

    Related rights:
        createCos
        getCos

    Notes:
        Need the getCos right on the source cos.


------------------------------
CountAccountRequest

    Related rights:
        countAccount

    Notes:

------------------------------
CountObjectsRequest

    Related rights:

    Notes:
        TDB


------------------------------
CreateAccountRequest

    Related rights:
        createAccount

    Notes:
        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyAccount right, which allows
        setting all attributes on account, or grant the set attrs right just
        for the attributes the admin needs to set while creating an entry.

        Notes on zimbraCOSId: If setting zimbraCOSId, needs the assignCos
        right on the cos.


------------------------------
CreateCalendarResourceRequest

    Related rights:
        createCalendarResource

    Notes:
        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyCalendarResource right, which
        allows setting all attributes on calendar resource, or grant the set
        attrs right just for the attributes the admin needs to set while
        creating an entry.


------------------------------
CreateCosRequest

    Related rights:
        createCos

    Notes:
        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyCos right, which allows setting
        all attributes on cos, or grant the set attrs right just for the
        attributes the admin needs to set while creating an entry.


------------------------------
CreateDataSourceRequest

    Related rights:
        adminLoginAs
        adminLoginCalendarResourceAs

    Notes:
        If the target is an account, need the adminLoginAs right; If the
        target is a calendar resource, need the R_adminLoginCalendarResourceAs
        right.


------------------------------
CreateDistributionListRequest

    Related rights:
        createDistributionList
        createGroup

    Notes:
        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyDistributionList right, which
        allows setting all attributes on distribution list, or grant the set
        attrs right just for the attributes the admin needs to set while
        creating an entry.

        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyGroup right, which allows
        setting all attributes on group, or grant the set attrs right just for
        the attributes the admin needs to set while creating an entry.


------------------------------
CreateDomainRequest

    Related rights:
        createTopDomain
        createSubDomain

    Notes:
        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyDomain right, which allows
        setting all attributes on domain, or grant the set attrs right just
        for the attributes the admin needs to set while creating an entry.


------------------------------
CreateGalSyncAccountRequest

    Related rights:
        createAccount

    Notes:
        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyAccount right, which allows
        setting all attributes on account, or grant the set attrs right just
        for the attributes the admin needs to set while creating an entry.


------------------------------
CreateServerRequest

    Related rights:
        createServer

    Notes:
        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyServer right, which allows
        setting all attributes on server, or grant the set attrs right just
        for the attributes the admin needs to set while creating an entry.


------------------------------
CreateSystemRetentionPolicyRequest

    Related rights:

    Notes:
        Need set attr right on attribute zimbraMailPurgeSystemPolicy


------------------------------
CreateUCServiceRequest

    Related rights:
        createUCService

    Notes:
        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyUCService right, which allows
        setting all attributes on ucservice, or grant the set attrs right just
        for the attributes the admin needs to set while creating an entry.


------------------------------
CreateVolumeRequest

    Related rights:
        manageVolume

    Notes:

------------------------------
CreateXMPPComponentRequest

    Related rights:
        createXMPPComponent

    Notes:
        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyXMPPComponent right, which
        allows setting all attributes on XMPP component, or grant the set
        attrs right just for the attributes the admin needs to set while
        creating an entry.


------------------------------
CreateZimletRequest

    Related rights:
        createZimlet

    Notes:
        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyZimlet right, which allows
        setting all attributes on zimlet, or grant the set attrs right just
        for the attributes the admin needs to set while creating an entry.


------------------------------
DedupeBlobsRequest

    Related rights:

    Notes:
        Only system admins are allowed.


------------------------------
DelegateAuthRequest

    Related rights:
        adminLoginAs
        adminLoginCalendarResourceAs

    Notes:
        If the target is an account, need the adminLoginAs right; If the
        target is a calendar resource, need the R_adminLoginCalendarResourceAs
        right.


------------------------------
DeleteAccountRequest

    Related rights:
        deleteAccount

    Notes:

------------------------------
DeleteCalendarResourceRequest

    Related rights:
        deleteCalendarResource

    Notes:

------------------------------
DeleteCosRequest

    Related rights:
        deleteCos

    Notes:

------------------------------
DeleteDataSourceRequest

    Related rights:
        adminLoginAs
        adminLoginCalendarResourceAs

    Notes:
        If the target is an account, need the adminLoginAs right; If the
        target is a calendar resource, need the R_adminLoginCalendarResourceAs
        right.


------------------------------
DeleteDistributionListRequest

    Related rights:
        deleteDistributionList
        deleteGroup

    Notes:

------------------------------
DeleteDomainRequest

    Related rights:
        deleteDomain

    Notes:

------------------------------
DeleteGalSyncAccountRequest

    Related rights:
        deleteAccount

    Notes:

------------------------------
DeleteMailboxRequest

    Related rights:
        deleteAccount

    Notes:

------------------------------
DeleteServerRequest

    Related rights:
        deleteServer

    Notes:

------------------------------
DeleteSystemRetentionPolicyRequest

    Related rights:

    Notes:
        Need set attr right on attribute zimbraMailPurgeSystemPolicy


------------------------------
DeleteUCServiceRequest

    Related rights:
        deleteUCService

    Notes:

------------------------------
DeleteVolumeRequest

    Related rights:
        manageVolume

    Notes:

------------------------------
DeleteXMPPComponentRequest

    Related rights:
        deleteXMPPComponent

    Notes:

------------------------------
DeleteZimletRequest

    Related rights:
        deleteZimlet

    Notes:

------------------------------
DeployZimletRequest

    Related rights:
        deployZimlet

    Notes:
        If deploying on all servers, need the deployZimlet right on all
        servers or on global grant. If deploying on local server, need the
        deployZimlet on the local server.


------------------------------
DumpSessionsRequest

    Related rights:
        getSessions

    Notes:

------------------------------
ExportAndDeleteItemsRequest

    Related rights:

    Notes:
        Only system admins are allowed.


------------------------------
FixCalendarEndTimeRequest

    Related rights:

    Notes:
        Only system admins are allowed.


------------------------------
FixCalendarPriorityRequest

    Related rights:

    Notes:
        Only system admins are allowed.


------------------------------
FixCalendarTZRequest

    Related rights:

    Notes:
        Only system admins are allowed.


------------------------------
FlushCacheRequest

    Related rights:
        flushCache

    Notes:

------------------------------
GetAccountInfoRequest

    Related rights:
        getAccountInfo
        getCalendarResourceInfo

    Notes:

------------------------------
GetAccountLoggersRequest

    Related rights:
        manageAccountLogger

    Notes:

------------------------------
GetAccountMembershipRequest

    Related rights:
        getAccountMembership

    Notes:
        If the authed admin has get attr right on distribution list attr
        zimbraIsAdminGroup, it is returned in the response if set.


------------------------------
GetAccountRequest

    Related rights:
        getAccount

    Notes:
        Attributes that are not allowed to be get by the authenticated admin
        will be returned as <a n="{attr-name}"
        pd="1"/>.To allow an admin to get all attributes, grant
        the getAccount right


------------------------------
GetAdminConsoleUICompRequest

    Related rights:
        viewAccountAdminUI
        viewDistributionListAdminUI

    Notes:
        If account/dl is not specified, Do not need any right, all admins are
        allowed.

        If an account is specified, need the viewAccountAdminUI right.

        If a dl is specified, need the viewDistributionListAdminUI right.

        Note, this call does not check for the get attr right for
        zimbraAdminConsoleUIComponents attribute on the account/dl, nor on the
        admin groups they belong. It simply checks the viewAccountAdminUI or
        viewDistributionListAdminUI right.


------------------------------
GetAdminExtensionZimletsRequest

    Related rights:
        listZimlet
        getZimlet

    Notes:
        Only zimlets on which the authed admin has effective listZimlet and
        getZimlet rights will appear in the response.

        e.g. there are zimlet1, zimlet2, zimlet3, if an admin has effective
        listZimlet and getZimlet rights on zimlet1, zimlet2, then only
        zimlet1, zimlet2 will appear in the GetAdminExtensionZimletsResponse.
        The GetAdminExtensionZimletsRequest itself will not get PERM_DENIED.


------------------------------
GetAdminSavedSearchesRequest

    Related rights:
        viewAdminSavedSearch

    Notes:

------------------------------
GetAggregateQuotaUsageOnServerRequest

    Related rights:

    Notes:
        TDB


------------------------------
GetAllAccountLoggersRequest

    Related rights:
        manageAccountLogger

    Notes:

------------------------------
GetAllAccountsRequest

    Related rights:
        listAccount
        getAccount

    Notes:
        If the authenticated admin does not have the corresponding list{Entry}
        right for an entry, the entry is skipped in the
        getAllXXX/searchXXX/searchDirectoryResponse, no PERM_DENIED exception
        will be thrown. Attributes that are not allowed to be get by the
        authenticated admin will be returned as <a
        n="{attr-name}" pd="1"/>.


------------------------------
GetAllAdminAccountsRequest

    Related rights:
        listAccount
        getAccount

    Notes:
        If the authenticated admin does not have the corresponding list{Entry}
        right for an entry, the entry is skipped in the
        getAllXXX/searchXXX/searchDirectoryResponse, no PERM_DENIED exception
        will be thrown. Attributes that are not allowed to be get by the
        authenticated admin will be returned as <a
        n="{attr-name}" pd="1"/>.


------------------------------
GetAllCalendarResourcesRequest

    Related rights:
        listCalendarResource
        getCalendarResource

    Notes:
        If the authenticated admin does not have the corresponding list{Entry}
        right for an entry, the entry is skipped in the
        getAllXXX/searchXXX/searchDirectoryResponse, no PERM_DENIED exception
        will be thrown. Attributes that are not allowed to be get by the
        authenticated admin will be returned as <a
        n="{attr-name}" pd="1"/>.


------------------------------
GetAllConfigRequest

    Related rights:
        getGlobalConfig

    Notes:

------------------------------
GetAllCosRequest

    Related rights:
        listCos
        getCos

    Notes:
        If the authenticated admin does not have the corresponding list{Entry}
        right for an entry, the entry is skipped in the
        getAllXXX/searchXXX/searchDirectoryResponse, no PERM_DENIED exception
        will be thrown. Attributes that are not allowed to be get by the
        authenticated admin will be returned as <a
        n="{attr-name}" pd="1"/>.


------------------------------
GetAllDistributionListsRequest

    Related rights:
        listDistributionList
        getDistributionList

    Notes:
        If the authenticated admin does not have the corresponding list{Entry}
        right for an entry, the entry is skipped in the
        getAllXXX/searchXXX/searchDirectoryResponse, no PERM_DENIED exception
        will be thrown. Attributes that are not allowed to be get by the
        authenticated admin will be returned as <a
        n="{attr-name}" pd="1"/>.


------------------------------
GetAllDomainsRequest

    Related rights:
        listDomain
        getDomain

    Notes:
        If the authenticated admin does not have the corresponding list{Entry}
        right for an entry, the entry is skipped in the
        getAllXXX/searchXXX/searchDirectoryResponse, no PERM_DENIED exception
        will be thrown. Attributes that are not allowed to be get by the
        authenticated admin will be returned as <a
        n="{attr-name}" pd="1"/>.


------------------------------
GetAllEffectiveRightsRequest

    Related rights:
        checkRightUsr
        checkRightGrp

    Notes:
        If grantee to check for is an account, needs the checkRightUsr right

        If grantee to check for is a group, needs the checkRightGrp right


------------------------------
GetAllFreeBusyProvidersRequest

    Related rights:
        getAllFreeBusyProviders

    Notes:

------------------------------
GetAllLocalesRequest

    Related rights:

    Notes:
        Allow all admins


------------------------------
GetAllMailboxesRequest

    Related rights:

    Notes:
        Only system admins are allowed.


------------------------------
GetAllRightsRequest

    Related rights:

    Notes:
        Do not need any right, all admins are allowed.


------------------------------
GetAllServersRequest

    Related rights:
        listServer
        getServer

    Notes:
        If the authenticated admin does not have the corresponding list{Entry}
        right for an entry, the entry is skipped in the
        getAllXXX/searchXXX/searchDirectoryResponse, no PERM_DENIED exception
        will be thrown. Attributes that are not allowed to be get by the
        authenticated admin will be returned as <a
        n="{attr-name}" pd="1"/>.


------------------------------
GetAllSkinsRequest

    Related rights:

    Notes:
        Do not need any right, all admins are allowed.


------------------------------
GetAllUCProvidersRequest

    Related rights:

    Notes:
        Do not need any right, all admins are allowed.


------------------------------
GetAllUCServicesRequest

    Related rights:
        listUCService
        getUCService

    Notes:
        If the authenticated admin does not have the corresponding list{Entry}
        right for an entry, the entry is skipped in the
        getAllXXX/searchXXX/searchDirectoryResponse, no PERM_DENIED exception
        will be thrown. Attributes that are not allowed to be get by the
        authenticated admin will be returned as <a
        n="{attr-name}" pd="1"/>.


------------------------------
GetAllVolumesRequest

    Related rights:
        manageVolume

    Notes:

------------------------------
GetAllXMPPComponentsRequest

    Related rights:
        listXMPPComponent
        getXMPPComponent

    Notes:
        If the authenticated admin does not have the corresponding list{Entry}
        right for an entry, the entry is skipped in the
        getAllXXX/searchXXX/searchDirectoryResponse, no PERM_DENIED exception
        will be thrown. Attributes that are not allowed to be get by the
        authenticated admin will be returned as <a
        n="{attr-name}" pd="1"/>.


------------------------------
GetAllZimletsRequest

    Related rights:
        listZimlet
        getZimlet

    Notes:
        If the authenticated admin does not have the corresponding list{Entry}
        right for an entry, the entry is skipped in the
        getAllXXX/searchXXX/searchDirectoryResponse, no PERM_DENIED exception
        will be thrown. Attributes that are not allowed to be get by the
        authenticated admin will be returned as <a
        n="{attr-name}" pd="1"/>.


------------------------------
GetAttributeInfoRequest

    Related rights:

    Notes:
        Do not need any right, all admins are allowed.


------------------------------
GetCalendarResourceRequest

    Related rights:
        getCalendarResource

    Notes:
        Attributes that are not allowed to be get by the authenticated admin
        will be returned as <a n="{attr-name}"
        pd="1"/>.To allow an admin to get all attributes, grant
        the getCalendarResource right


------------------------------
GetConfigRequest

    Related rights:

    Notes:
        Need get attr right for the specified attribute.


------------------------------
GetCosRequest

    Related rights:
        getCos

    Notes:
        Attributes that are not allowed to be get by the authenticated admin
        will be returned as <a n="{attr-name}"
        pd="1"/>.To allow an admin to get all attributes, grant
        the getCos right


------------------------------
GetCreateObjectAttrsRequest

    Related rights:
        checkRightUsr

    Notes:

------------------------------
GetCurrentVolumesRequest

    Related rights:
        manageVolume

    Notes:

------------------------------
GetDataSourcesRequest

    Related rights:
        adminLoginAs
        adminLoginCalendarResourceAs

    Notes:
        If the target is an account, need the adminLoginAs right; If the
        target is a calendar resource, need the R_adminLoginCalendarResourceAs
        right.


------------------------------
GetDelegatedAdminConstraintsRequest

    Related rights:

    Notes:
        Need set attr right on attribute zimbraConstraint


------------------------------
GetDistributionListMembershipRequest

    Related rights:
        getDistributionListMembership

    Notes:

------------------------------
GetDistributionListRequest

    Related rights:
        getDistributionList
        getGroup

    Notes:
        Attributes that are not allowed to be get by the authenticated admin
        will be returned as <a n="{attr-name}"
        pd="1"/>.To allow an admin to get all attributes, grant
        the getDistributionList right

        Attributes that are not allowed to be get by the authenticated admin
        will be returned as <a n="{attr-name}"
        pd="1"/>.To allow an admin to get all attributes, grant
        the getGroup right


------------------------------
GetDomainInfoRequest

    Related rights:

    Notes:
        Do not need any right, all admins are allowed.


------------------------------
GetDomainRequest

    Related rights:
        getDomain

    Notes:
        Attributes that are not allowed to be get by the authenticated admin
        will be returned as <a n="{attr-name}"
        pd="1"/>.To allow an admin to get all attributes, grant
        the getDomain right


------------------------------
GetEffectiveRightsRequest

    Related rights:
        checkRightUsr

    Notes:

------------------------------
GetFreeBusyQueueInfoRequest

    Related rights:

    Notes:
        Only system admins are allowed.


------------------------------
GetGrantsRequest

    Related rights:
        viewGrants

    Notes:
        Needs a get attr right of zimbraACE on each the target entry. Granting
        the viewGrants is one way to do it, which will give the right on all
        target types. Use inline right if more granularity is needed. See doc
        for the viewGrants right in zimbra-rights.xml for more details.


------------------------------
GetIndexStatsRequest

    Related rights:
        reindexMailbox
        reindexCalendarResourceMailbox

    Notes:

------------------------------
GetLicenseInfoRequest

    Related rights:

    Notes:
        Do not need any right, all admins are allowed.


------------------------------
GetLoggerStatsRequest

    Related rights:
        getServerStats

    Notes:

------------------------------
GetMailQueueInfoRequest

    Related rights:
        manageMailQueue

    Notes:

------------------------------
GetMailQueueRequest

    Related rights:
        manageMailQueue

    Notes:

------------------------------
GetMailboxRequest

    Related rights:
        getMailboxInfo

    Notes:

------------------------------
GetMailboxStatsRequest

    Related rights:
        getMailboxStats

    Notes:

------------------------------
GetMemcachedClientConfigRequest

    Related rights:

    Notes:
        TDB


------------------------------
GetQuotaUsageRequest

    Related rights:
        getDomainQuotaUsage

    Notes:
        If a domain is specified, need the the domain right
        getDomainQuotaUsage. If domain is not specified, only system admins
        are allowed.


------------------------------
GetRightRequest

    Related rights:

    Notes:
        Do not need any right, all admins are allowed.


------------------------------
GetRightsDocRequest

    Related rights:

    Notes:
        Do not need any right, all admins are allowed.


------------------------------
GetServerNIfsRequest

    Related rights:

    Notes:
        Do not need any right, all admins are allowed.


------------------------------
GetServerRequest

    Related rights:
        getServer

    Notes:
        Attributes that are not allowed to be get by the authenticated admin
        will be returned as <a n="{attr-name}"
        pd="1"/>.To allow an admin to get all attributes, grant
        the getServer right


------------------------------
GetServerStatsRequest

    Related rights:
        getServerStats

    Notes:

------------------------------
GetServiceStatusRequest

    Related rights:
        getServiceStatus

    Notes:

------------------------------
GetSessionsRequest

    Related rights:
        getSessions

    Notes:

------------------------------
GetShareInfoRequest

    Related rights:
        adminLoginAs
        adminLoginCalendarResourceAs

    Notes:
        If the target is an account, need the adminLoginAs right; If the
        target is a calendar resource, need the R_adminLoginCalendarResourceAs
        right.


------------------------------
GetSystemRetentionPolicyRequest

    Related rights:

    Notes:
        Need get attr right on attribute zimbraMailPurgeSystemPolicy


------------------------------
GetUCServiceRequest

    Related rights:
        getUCService

    Notes:
        Attributes that are not allowed to be get by the authenticated admin
        will be returned as <a n="{attr-name}"
        pd="1"/>.To allow an admin to get all attributes, grant
        the getUCService right


------------------------------
GetVersionInfoRequest

    Related rights:

    Notes:
        Do not need any right, all admins are allowed.


------------------------------
GetVolumeRequest

    Related rights:
        manageVolume

    Notes:

------------------------------
GetXMPPComponentRequest

    Related rights:
        getXMPPComponent

    Notes:
        Attributes that are not allowed to be get by the authenticated admin
        will be returned as <a n="{attr-name}"
        pd="1"/>.To allow an admin to get all attributes, grant
        the getXMPPComponent right


------------------------------
GetZimletRequest

    Related rights:
        getZimlet

    Notes:
        Attributes that are not allowed to be get by the authenticated admin
        will be returned as <a n="{attr-name}"
        pd="1"/>.To allow an admin to get all attributes, grant
        the getZimlet right


------------------------------
GetZimletStatusRequest

    Related rights:
        listZimlet
        listCos
        getZimlet

    Notes:
        Only zimlets on which the authed admin has effective listZimlet and
        getZimlet rights will appear in <zimlets> in the response.

        Only zimlets on which the authed admin has effective listCos right
        will be appear in <cos> in the response.

        e.g. there are zimlet1, zimlet2, zimlet3 and cos1, cos2 , if an admin
        has effective listZimlet and getZimlet rights on zimlet1, zimlet2,
        then only zimlet1, zimlet2 will appear in <zimlets> in
        GetZimletStatusResponse, and only cos1 will appear in <cos> in
        the resposne. The GetZimletStatusRequest itself will not get
        PERM_DENIED.


------------------------------
GrantRightRequest

    Related rights:

    Notes:
        Grantor must have the same or more rights on the same target or on a
        larger target set.


------------------------------
MailQueueActionRequest

    Related rights:
        manageMailQueue

    Notes:

------------------------------
MailQueueFlushRequest

    Related rights:
        manageMailQueue

    Notes:

------------------------------
MigrateAccountRequest

    Related rights:
        adminLoginAs

    Notes:

------------------------------
ModifyAccountRequest

    Related rights:
        assignCos

    Notes:
        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyAccount right, which allows
        setting all attributes on account, or grant the set attrs right just
        for the attributes the admin needs to set while creating an entry.

        Notes on zimbraCOSId: If setting zimbraCOSId, needs the assignCos
        right on the cos.If removing zimbraCOSId, needs the assignCos right on
        the domain default cos. (in domain attribute
        zimbraDomainDefaultCOSId).


------------------------------
ModifyAdminSavedSearchesRequest

    Related rights:
        setAdminSavedSearch

    Notes:

------------------------------
ModifyCalendarResourceRequest

    Related rights:

    Notes:
        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyCalendarResource right, which
        allows setting all attributes on calendar resource, or grant the set
        attrs right just for the attributes the admin needs to set while
        creating an entry.


------------------------------
ModifyConfigRequest

    Related rights:

    Notes:
        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyGlobalConfig right, which allows
        setting all attributes on global config, or grant the set attrs right
        just for the attributes the admin needs to set while creating an
        entry.


------------------------------
ModifyCosRequest

    Related rights:

    Notes:
        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyCos right, which allows setting
        all attributes on cos, or grant the set attrs right just for the
        attributes the admin needs to set while creating an entry.


------------------------------
ModifyDataSourceRequest

    Related rights:
        adminLoginAs
        adminLoginCalendarResourceAs

    Notes:
        If the target is an account, need the adminLoginAs right; If the
        target is a calendar resource, need the R_adminLoginCalendarResourceAs
        right.


------------------------------
ModifyDelegatedAdminConstraintsRequest

    Related rights:

    Notes:
        Need set attr right on attribute zimbraConstraint


------------------------------
ModifyDistributionListRequest

    Related rights:

    Notes:
        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyDistributionList right, which
        allows setting all attributes on distribution list, or grant the set
        attrs right just for the attributes the admin needs to set while
        creating an entry.


------------------------------
ModifyDomainRequest

    Related rights:

    Notes:
        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyDomain right, which allows
        setting all attributes on domain, or grant the set attrs right just
        for the attributes the admin needs to set while creating an entry.

        Notes on zimbraDomainDefaultCOSId: If setting
        zimbraDomainDefaultCOSId, needs the assignCos right on the cos.


------------------------------
ModifyServerRequest

    Related rights:

    Notes:
        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyServer right, which allows
        setting all attributes on server, or grant the set attrs right just
        for the attributes the admin needs to set while creating an entry.


------------------------------
ModifySystemRetentionPolicyRequest

    Related rights:

    Notes:
        Need set attr right on attribute zimbraMailPurgeSystemPolicy


------------------------------
ModifyUCServiceRequest

    Related rights:

    Notes:
        All attrs provided in the attribute list have to settable by. the
        authed admin. You can grant the modifyUCService right, which allows
        setting all attributes on ucservice, or grant the set attrs right just
        for the attributes the admin needs to set while creating an entry.


------------------------------
ModifyVolumeRequest

    Related rights:
        manageVolume

    Notes:

------------------------------
ModifyZimletRequest

    Related rights:
        manageZimlet
        modifyZimlet

    Notes:
        For acl: needs manageZimlet on cos.

        For status: needs right to set zimbraZimletEnabled on the zimlet

        For priority: needs right to set zimbraZimletPriority on *all*
        zimlets, because potentially the attribute can be modified on all
        zimlets.


------------------------------
NoOpRequest

    Related rights:

    Notes:
        Do not need any right, all admins are allowed.


------------------------------
PingRequest

    Related rights:

    Notes:
        Do not need any right, all admins are allowed.


------------------------------
PurgeAccountCalendarCacheRequest

    Related rights:

    Notes:
        Only system admins are allowed.


------------------------------
PurgeFreeBusyQueueRequest

    Related rights:

    Notes:
        Only system admins are allowed.


------------------------------
PurgeMessagesRequest

    Related rights:
        purgeMessages

    Notes:
        If account ids are specified, needs effective purgeMessages right for
        each account. If account ids are not specified, the authed account has
        to be a system admin.


------------------------------
PushFreeBusyRequest

    Related rights:
        adminLoginAs
        adminLoginCalendarResourceAs

    Notes:
        If the target is an account, need the adminLoginAs right; If the
        target is a calendar resource, need the R_adminLoginCalendarResourceAs
        right.


------------------------------
QueryWaitSetRequest

    Related rights:

    Notes:
        Only system admins are allowed.


------------------------------
ReIndexRequest

    Related rights:
        reindexMailbox
        reindexCalendarResourceMailbox

    Notes:

------------------------------
RecalculateMailboxCountsRequest

    Related rights:
        adminLoginAs
        adminLoginCalendarResourceAs

    Notes:
        If the target is an account, need the adminLoginAs right; If the
        target is a calendar resource, need the R_adminLoginCalendarResourceAs
        right.


------------------------------
ReloadLocalConfigRequest

    Related rights:

    Notes:
        TDB


------------------------------
ReloadMemcachedClientConfigRequest

    Related rights:

    Notes:
        TDB


------------------------------
RemoveAccountAliasRequest

    Related rights:
        removeAccountAlias
        removeCalendarResourceAlias
        deleteAlias

    Notes:

------------------------------
RemoveAccountLoggerRequest

    Related rights:
        manageAccountLogger

    Notes:

------------------------------
RemoveDistributionListAliasRequest

    Related rights:
        removeDistributionListAlias
        removeGroupAlias
        deleteAlias

    Notes:

------------------------------
RemoveDistributionListMemberRequest

    Related rights:
        removeDistributionListMember
        removeGroupMember

    Notes:

------------------------------
RenameAccountRequest

    Related rights:
        renameAccount
        createAccount

    Notes:

------------------------------
RenameCalendarResourceRequest

    Related rights:
        renameCalendarResource
        createCalendarResource

    Notes:

------------------------------
RenameCosRequest

    Related rights:
        renameCos

    Notes:

------------------------------
RenameDistributionListRequest

    Related rights:
        renameDistributionList
        createDistributionList

    Notes:

------------------------------
RenameUCServiceRequest

    Related rights:
        renameUCService

    Notes:

------------------------------
ResetAllLoggersRequest

    Related rights:

    Notes:
        TDB


------------------------------
RevokeRightRequest

    Related rights:

    Notes:
        Grantor must have the same or more rights on the same target or on a
        larger target set.


------------------------------
RunUnitTestsRequest

    Related rights:

    Notes:
        Do not need any right, all admins are allowed.


------------------------------
SearchAccountsRequest

    Related rights:
        getAccount
        getCalendarResource
        getDistributionList
        getDomain
        listAccount
        listCalendarResource
        listDistributionList
        listDomain

    Notes:
        If the authenticated admin does not have the corresponding list{Entry}
        right for an entry, the entry is skipped in the
        getAllXXX/searchXXX/searchDirectoryResponse, no PERM_DENIED exception
        will be thrown. Attributes that are not allowed to be get by the
        authenticated admin will be returned as <a
        n="{attr-name}" pd="1"/>.


------------------------------
SearchAutoProvDirectoryRequest

    Related rights:
        autoProvisionAccount

    Notes:

------------------------------
SearchCalendarResourcesRequest

    Related rights:
        getCalendarResource
        listCalendarResource

    Notes:
        If the authenticated admin does not have the corresponding list{Entry}
        right for an entry, the entry is skipped in the
        getAllXXX/searchXXX/searchDirectoryResponse, no PERM_DENIED exception
        will be thrown. Attributes that are not allowed to be get by the
        authenticated admin will be returned as <a
        n="{attr-name}" pd="1"/>.


------------------------------
SearchDirectoryRequest

    Related rights:
        getAccount
        getCalendarResource
        getDistributionList
        getDomain
        getCos
        listAccount
        listCalendarResource
        listDistributionList
        listDomain
        listCos

    Notes:
        If the authenticated admin does not have the corresponding list{Entry}
        right for an entry, the entry is skipped in the
        getAllXXX/searchXXX/searchDirectoryResponse, no PERM_DENIED exception
        will be thrown. Attributes that are not allowed to be get by the
        authenticated admin will be returned as <a
        n="{attr-name}" pd="1"/>.


------------------------------
SearchGalRequest

    Related rights:
        accessGAL

    Notes:

------------------------------
SetCurrentVolumeRequest

    Related rights:
        manageVolume

    Notes:

------------------------------
SetPasswordRequest

    Related rights:
        setAccountPassword
        changeAccountPassword
        setCalendarResourcePassword
        changeCalendarResourcePassword

    Notes:

------------------------------
SyncGalAccountRequest

    Related rights:

    Notes:
        TDB


------------------------------
UndeployZimletRequest

    Related rights:
        deployZimlet

    Notes:
        Need the deployZimlet right on all servers.


------------------------------
UpdatePresenceSessionIdRequest

    Related rights:

    Notes:
        Need set attr right on attribute zimbraUCPresenceSessionId


------------------------------
VerifyIndexRequest

    Related rights:
        reindexMailbox
        reindexCalendarResourceMailbox

    Notes:

------------------------------
VerifyStoreManagerRequest

    Related rights:

    Notes:
        TDB


========================================
Package: com.zimbra.cs.service.backup
========================================

------------------------------
BackupAccountQueryRequest

    Related rights:
        backupAccount

    Notes:

------------------------------
BackupQueryRequest

    Related rights:
        backupAccount

    Notes:

------------------------------
BackupRequest

    Related rights:
        backupAccount

    Notes:

------------------------------
ExportMailboxRequest

    Related rights:
        moveAccountMailbox
        moveCalendarResourceMailbox
        moveMailboxFromServer
        moveMailboxToServer

    Notes:
        If the account is a calendar resource, need
        moveCalendarResourceMailbox right on the calendar resource.

        If the account is a regular account, need moveAccountMailbox right on
        the account.

        Need moveMailboxFromServer right on the source server

        Need moveMailboxToServer right on the target server


------------------------------
GetMailboxVersionRequest

    Related rights:
        moveAccountMailbox
        moveCalendarResourceMailbox
        moveMailboxFromServer

    Notes:
        If the account is a calendar resource, need
        moveCalendarResourceMailbox right on the calendar resource.

        If the account is a regular account, need moveAccountMailbox right on
        the account.

        Need moveMailboxFromServer right on the source server


------------------------------
GetMailboxVolumesRequest

    Related rights:
        moveAccountMailbox
        moveCalendarResourceMailbox
        moveMailboxFromServer

    Notes:
        If the account is a calendar resource, need
        moveCalendarResourceMailbox right on the calendar resource.

        If the account is a regular account, need moveAccountMailbox right on
        the account.

        Need moveMailboxFromServer right on the source server


------------------------------
MoveMailboxRequest

    Related rights:
        moveAccountMailbox
        moveCalendarResourceMailbox
        moveMailboxFromServer

    Notes:
        If the account is a calendar resource, need
        moveCalendarResourceMailbox right on the calendar resource.

        If the account is a regular account, need moveAccountMailbox right on
        the account.

        Need moveMailboxFromServer right on the source server


------------------------------
PurgeMovedMailboxRequest

    Related rights:
        moveAccountMailbox
        moveCalendarResourceMailbox
        moveMailboxFromServer

    Notes:
        If the account is a calendar resource, need
        moveCalendarResourceMailbox right on the calendar resource.

        If the account is a regular account, need moveAccountMailbox right on
        the account.

        Need moveMailboxFromServer right on the source server


------------------------------
QueryMailboxMoveRequest

    Related rights:

    Notes:
        TDB


------------------------------
RegisterMailboxMoveOutRequest

    Related rights:

    Notes:
        TDB


------------------------------
ReloadAccountRequest

    Related rights:

    Notes:
        TDB


------------------------------
RestoreRequest

    Related rights:
        restoreAccount

    Notes:

------------------------------
RolloverRedoLogRequest

    Related rights:
        rolloverRedoLog

    Notes:

------------------------------
ScheduleBackupsRequest

    Related rights:
        backupAccount

    Notes:

------------------------------
UnloadMailboxRequest

    Related rights:

    Notes:
        TDB


------------------------------
UnregisterMailboxMoveOutRequest

    Related rights:

    Notes:
        TDB


========================================
Package: com.zimbra.cs.service.hsm
========================================

------------------------------
AbortHsmRequest

    Related rights:

    Notes:
        Only system admins are allowed.


------------------------------
GetApplianceHSMFSRequest

    Related rights:
        manageVolume

    Notes:
        Requires manageVolume right on the target server

        Lists file systems under /opt/zimbra/data/mailboxd/hsm/ by parsing the
        output of df -x tmpfs -P -T -B 1024 command

        Currently applicable only to Zimbra Appliance


------------------------------
GetHsmStatusRequest

    Related rights:
        getHSMStatus

    Notes:
        Requires getHSMStatus right on the target server


------------------------------
HsmRequest

    Related rights:
        moveBlobs

    Notes:
        Requires moveBlobs right on the target server


------------------------------
MoveBlobsRequest

    Related rights:
        moveBlobs

    Notes:
        Requires moveBlobs right on the target server
Jump to: navigation, search