Difference between revisions of "UmaT-Implementing-Delegated-Administration"

(View grants)
 
(14 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== '''Work in Progress''' ==
+
{{BC|Community Sandbox}}
 
+
__FORCETOC__
 +
<div class="col-md-12 ibox-content">
 +
= Implementing Delegated Administration=
 +
{{KB|{{Unsupported}}|{{ZCS 8.6}}|{{ZCS 8.5}}|}}
 +
{{WIP}}== Introduction ==
  
 
The Delegated Administration feature lets you create different delegated administrator roles to manage your ZCS environment. Please refer the 'Delegated Administration' section in Administrator guide to understand the basic terminologies.
 
The Delegated Administration feature lets you create different delegated administrator roles to manage your ZCS environment. Please refer the 'Delegated Administration' section in Administrator guide to understand the basic terminologies.
  
http://www.zimbra.com/docs/ne/latest/administration_guide/wwhelp/wwhimpl/js/html/wwhelp.htm#href=ZCS_Admin_Guide_7_NE.Delegated_Administration.html
+
[http://www.zimbra.com/docs/ne/latest/administration_guide/wwhelp/wwhimpl/js/html/wwhelp.htm#href=ZCS_Admin_Guide_7_NE.Delegated_Administration.html ZCS Admin Guide 7.3]
 
 
  
 
Below are the guidelines to manage the distribution list through CLI.
 
Below are the guidelines to manage the distribution list through CLI.
  
  
1. Create domain
+
== Create domain ==
  
 
     $ zmprov cd domain.com zimbraAuthMech zimbra
 
     $ zmprov cd domain.com zimbraAuthMech zimbra
  
2. Create the delegated admin
+
== Create the delegated admin ==
  
 
     $ zmprov ca  delegatedadmin@example.com <passwd>  zimbraIsDelegatedAdminAccount TRUE
 
     $ zmprov ca  delegatedadmin@example.com <passwd>  zimbraIsDelegatedAdminAccount TRUE
  
3. Admin views
+
== Admin views ==
  
 
Below are list of Admin view's available which can be assigned to delegated admin.
 
Below are list of Admin view's available which can be assigned to delegated admin.
  
  Account LIst View          : accountListView
+
  Account List View          : accountListView
 
  Distribution List View      : DLListView
 
  Distribution List View      : DLListView
  Alias LIst View            : aliasListView  
+
  Alias List View            : aliasListView  
 
  Resource List View          : resourceListView
 
  Resource List View          : resourceListView
 
  Class of Service LIst View  : COSListView
 
  Class of Service LIst View  : COSListView
Line 45: Line 48:
  
  
3.1 Assigning the admin view
+
=== Assigning the admin view ===
 
    
 
    
 
   $ zmprov ma delegatedadmin@example.com zimbraAdminConsoleUIComponents accountListView  zimbraAdminConsoleUIComponents DLListView zimbraAdminConsoleUIComponents COSListView
 
   $ zmprov ma delegatedadmin@example.com zimbraAdminConsoleUIComponents accountListView  zimbraAdminConsoleUIComponents DLListView zimbraAdminConsoleUIComponents COSListView
Line 55: Line 58:
  
  
3.2 Revoking admin view
+
=== Revoking admin view ===
  
'''caution''':  If you want to revoke the COS list view, then you need to run the full command expect appending the revoking component  'COSListView'
+
'''caution''':  If you want to revoke the COS list view, then you need to run the full command except appending the revoking component  'COSListView'
  
 
   $ zmprov ma delegatedadmin@example.com zimbraAdminConsoleUIComponents accountListView  zimbraAdminConsoleUIComponents DLListView
 
   $ zmprov ma delegatedadmin@example.com zimbraAdminConsoleUIComponents accountListView  zimbraAdminConsoleUIComponents DLListView
Line 65: Line 68:
 
     zimbraAdminConsoleUIComponents: DLListView
 
     zimbraAdminConsoleUIComponents: DLListView
  
 +
== Configure Grants on Administrator Accounts ==
  
4. Configure Grants on Administrator Accounts
+
=== Manage Domains ===
 
 
4.1 Manage Domains
 
 
   
 
   
4.1.1  Granting the rights to manage domains.
+
==== Granting the rights to manage domains ====
  
 
Syntax:
 
Syntax:
Line 80: Line 82:
  
  
4.1.2 View grants  
+
==== View grants ====
  
 
Syntax:
 
Syntax:
Line 88: Line 90:
 
Example
 
Example
  
  $ zmprov gg -t example.com
+
  $ zmprov gg -t domain example.com
 
  target type  target id                            target name                    grantee type grantee id                          grantee name                  right
 
  target type  target id                            target name                    grantee type grantee id                          grantee name                  right
 
  ------------ ------------------------------------ ------------------------------ ------------ ------------------------------------ ------------------------------ --------------------
 
  ------------ ------------------------------------ ------------------------------ ------------ ------------------------------------ ------------------------------ --------------------
Line 99: Line 101:
 
  domain      15274f2b-9f64-4bd0-88c9-ec94874d8151 example.com                  usr          400eecbd-6da3-4cdb-8791-fd5f42faade6 deleagtedadmin@example.com      adminLoginAs
 
  domain      15274f2b-9f64-4bd0-88c9-ec94874d8151 example.com                  usr          400eecbd-6da3-4cdb-8791-fd5f42faade6 deleagtedadmin@example.com      adminLoginAs
  
 +
=== Managing Distribution list ===
  
 
+
==== Granting rights to delegated admin to manage DL ====
4.2 Managing Distribution list
 
 
 
4.2.1 Granting rights to delegated admin to manage DL
 
  
 
   $ zmprov grr dl newdl1@example.com usr deleagtedadmin@example.com domainAdminDistributionListRights
 
   $ zmprov grr dl newdl1@example.com usr deleagtedadmin@example.com domainAdminDistributionListRights
  
4.2.2 Viewing rights assigned to DL
+
==== Viewing rights assigned to DL ====
  
  
Line 117: Line 117:
  
  
Examples:
+
== Examples ==
  
 
1. Delegated admin of example1.com can manage the DL of example2.com
 
1. Delegated admin of example1.com can manage the DL of example2.com
Line 140: Line 140:
  
 
  zmprov grr domain example.com usr delegatedadmin@example.com domainAdminRights
 
  zmprov grr domain example.com usr delegatedadmin@example.com domainAdminRights
  zmprov grr global usr delegatedadmin@example.com domainAdminRights
+
  zmprov grr global usr delegatedadmin@example.com domainAdminRights
  zmprov grr global usr delegatedadmin@example.com adminConsoleAliasRights
+
  zmprov grr global usr delegatedadmin@example.com adminConsoleAliasRights
  zmprov grr global usr delegatedadmin@example.com adminConsoleDomainRights
+
  zmprov grr global usr delegatedadmin@example.com adminConsoleDomainRights
  zmprov grr global usr delegatedadmin@example.com adminConsoleCOSRights
+
  zmprov grr global usr delegatedadmin@example.com adminConsoleCOSRights
  zmprov grr global usr delegatedadmin@example.com adminConsoleServerStatusRights
+
  zmprov grr global usr delegatedadmin@example.com adminConsoleServerStatusRights
  zmprov grr global usr delegatedadmin@example.com adminConsoleResourceRights
+
  zmprov grr global usr delegatedadmin@example.com adminConsoleResourceRights
  zmprov grr global usr delegatedadmin@example.com adminConsoleSoftwareUpdateRights
+
  zmprov grr global usr delegatedadmin@example.com adminConsoleSoftwareUpdatesRights
  zmprov grr global usr delegatedadmin@example.com adminConsoleServerStatisticRights
+
  zmprov grr global usr delegatedadmin@example.com adminConsoleServerStatisticRights
  zmprov grr global usr delegatedadmin@example.com adminConsoleExtensionRights
+
  zmprov grr global usr delegatedadmin@example.com adminConsoleExtensionRights
  zmprov grr global usr delegatedadmin@example.com adminConsoleBackupRights
+
  zmprov grr global usr delegatedadmin@example.com adminConsoleBackupRights
  zmprov grr global usr delegatedadmin@example.com adminConsoleMigrationRights
+
  zmprov grr global usr delegatedadmin@example.com adminConsoleMigrationRights
  zmprov grr global usr delegatedadmin@example.com adminConsoleMailQueueRights
+
  zmprov grr global usr delegatedadmin@example.com adminConsoleMailQueueRights
  zmprov grr global usr delegatedadmin@example.com adminConsoleSavedSearchRights
+
  zmprov grr global usr delegatedadmin@example.com adminConsoleSavedSearchRights
  zmprov grr global usr delegatedadmin@example.com adminConsoleDLRights
+
  zmprov grr global usr delegatedadmin@example.com adminConsoleDLRights
  zmprov grr global usr delegatedadmin@example.com adminConsoleCertificateRights
+
  zmprov grr global usr delegatedadmin@example.com adminConsoleCertificateRights
  zmprov grr global usr delegatedadmin@example.com adminConsoleGlobalRights
+
  zmprov grr global usr delegatedadmin@example.com adminConsoleGlobalRights
  zmprov grr global usr delegatedadmin@example.com adminConsoleGlobalACLTabRights
+
  zmprov grr global usr delegatedadmin@example.com adminConsoleGlobalACLTabRights
  zmprov grr global usr delegatedadmin@example.com adminConsoleServerRights
+
  zmprov grr global usr delegatedadmin@example.com adminConsoleServerRights
  zmprov grr global usr delegatedadmin@example.com adminConsoleAccountRights
+
  zmprov grr global usr delegatedadmin@example.com adminConsoleAccountRights
  zmprov grr global usr delegatedadmin@example.com adminConsoleZimletRights
+
  zmprov grr global usr delegatedadmin@example.com adminConsoleZimletRights
  
  
Line 168: Line 168:
 
  target type  target id                            target name                    grantee type grantee id                          grantee name                  right
 
  target type  target id                            target name                    grantee type grantee id                          grantee name                  right
 
  ------------ ------------------------------------ ------------------------------ ------------ ------------------------------------ ------------------------------ --------------------
 
  ------------ ------------------------------------ ------------------------------ ------------ ------------------------------------ ------------------------------ --------------------
domain      3c8de9e0-8228-4b48-931e-bc1b040683ed example.com                  usr          928c917e-ed9d-453c-84e0-a7d1da86cf14 delegatedadmin@example.com    domainAdminRights
+
domain      3c8de9e0-8228-4b48-931e-bc1b040683ed example.com                  usr          928c917e-ed9d-453c-84e0-a7d1da86cf14 delegatedadmin@example.com    domainAdminRights
  
  
 +
$zmprov rvr domain example.com usr delegatedadmin@example.com domainAdminRights
 
  $zmprov gg -t domain example.com
 
  $zmprov gg -t domain example.com
 
  target type  target id                            target name                    grantee type grantee id                          grantee name                  right
 
  target type  target id                            target name                    grantee type grantee id                          grantee name                  right
Line 181: Line 182:
  
 
  $ zmprov gg -t calresource projector@example.com  
 
  $ zmprov gg -t calresource projector@example.com  
target type  target id                            target name                    grantee type grantee id                          grantee name                  right
+
target type  target id                            target name                    grantee type grantee id                          grantee name                  right
------------ ------------------------------------ ------------------------------ ------------ ------------------------------------ ------------------------------ --------------------
+
------------ ------------------------------------ ------------------------------ ------------ ------------------------------------ ------------------------------ --------------------
calresource  19363368-4e64-43d7-bc7e-832b91c3bd93 projector@example.com        usr          400eecbd-6da3-4cdb-8791-fd5f42faade6 delegatedadmin@example.com      domainAdminCalendarResourceRights
+
calresource  19363368-4e64-43d7-bc7e-832b91c3bd93 projector@example.com        usr          400eecbd-6da3-4cdb-8791-fd5f42faade6 delegatedadmin@example.com      domainAdminCalendarResourceRights
 
 
 
 
  
'''Miscellaneous commands'''
+
== Miscellaneous commands ==
  
  
Line 204: Line 203:
 
To list global grants  
 
To list global grants  
 
  $ zmprov gg -t global
 
  $ zmprov gg -t global
 +
{{Article Footer|Zimbra Collaboration 7.0|04/16/2014}}

Latest revision as of 19:44, 12 July 2017

Implementing Delegated Administration

   KB 15435        Last updated on 2017-07-12  




0.00
(0 votes)

Introduction

The Delegated Administration feature lets you create different delegated administrator roles to manage your ZCS environment. Please refer the 'Delegated Administration' section in Administrator guide to understand the basic terminologies.

ZCS Admin Guide 7.3

Below are the guidelines to manage the distribution list through CLI.


Create domain

   $ zmprov cd domain.com zimbraAuthMech zimbra

Create the delegated admin

   $ zmprov ca  delegatedadmin@example.com <passwd>  zimbraIsDelegatedAdminAccount TRUE

Admin views

Below are list of Admin view's available which can be assigned to delegated admin.

Account List View           :	accountListView
Distribution List View      :	DLListView
Alias List View             :	aliasListView 
Resource List View          : 	resourceListView
Class of Service LIst View  : 	COSListView
Domain List View            :	domainListView
Server List View            :	serverListView
Zimlet List View            : 	zimletListView
Admin Zimlet List View      :	adminZimletListView 
Global Settings View        : 	globalConfigView 
Global Server Status View   :	globalServerStatusView 
Help Search View            :	helpSearch 
Saved Searches View         : 	saveSearch 
Mail Queue View             : 	mailQueue 
Backups  View               : 	backupsView 
Certificates View           : 	certsView 
Software Updates            : 	softwareUpdatesView
Account Migration           :	bulkProvisionTasksView
Per Server Statistics View  : 	perServerStatisticsView 
Global ACL View             : 	globalPermissionView 
Right List View             :	rightListView


Assigning the admin view

  $ zmprov ma delegatedadmin@example.com zimbraAdminConsoleUIComponents accountListView  zimbraAdminConsoleUIComponents DLListView zimbraAdminConsoleUIComponents COSListView
  $ zmprov ga delegatedadmin@example.com  | grep -i view
  zimbraAdminConsoleUIComponents: accountListView
  zimbraAdminConsoleUIComponents: DLListView
  zimbraAdminConsoleUIComponents: COSListView


Revoking admin view

caution: If you want to revoke the COS list view, then you need to run the full command except appending the revoking component 'COSListView'

  $ zmprov ma delegatedadmin@example.com zimbraAdminConsoleUIComponents accountListView  zimbraAdminConsoleUIComponents DLListView
  $ zmprov ga delegatedadmin@domain.com  | grep -i view
    zimbraAdminConsoleUIComponents: accountListView
    zimbraAdminConsoleUIComponents: DLListView

Configure Grants on Administrator Accounts

Manage Domains

Granting the rights to manage domains

Syntax:

grantRight(grr) {target-type} [{target-id|target-name}] {grantee-type} [{grantee-id|grantee-name} [secret]] {[-]right}

Example

$ zmprov grr domain example.com  usr delegatedadmin@domain.com  domainAdminRights


View grants

Syntax:

getGrants(gg) [-t {target-type} [{target-id|target-name}]] [-g {grantee-type} {grantee-id|grantee-name} [{0|1 (whether to include grants granted to groups the grantee belongs)}]]


Example

$ zmprov gg -t domain example.com
target type  target id                            target name                    grantee type grantee id                           grantee name                   right
------------ ------------------------------------ ------------------------------ ------------ ------------------------------------ ------------------------------ --------------------
domain       15274f2b-9f64-4bd0-88c9-ec94874d8151 example.com                   grp          f05e6210-1c19-42cb-9ab5-bccd7a045cb7 zimbradomainadmins@example.com +domainAdminConsoleRights
domain       15274f2b-9f64-4bd0-88c9-ec94874d8151 example.com                   usr          400eecbd-6da3-4cdb-8791-fd5f42faade6 deleagtedadmin@example.com       domainAdminConsoleRights
domain       15274f2b-9f64-4bd0-88c9-ec94874d8151 example.com                   usr          928c917e-ed9d-453c-84e0-a7d1da86cf14 deleagtedadmin@example.com       domainAdminRights
domain       15274f2b-9f64-4bd0-88c9-ec94874d8151 example.com                   usr          400eecbd-6da3-4cdb-8791-fd5f42faade6 deleagtedadmin@example.com       domainAdminRights
domain       15274f2b-9f64-4bd0-88c9-ec94874d8151 example.com                   usr          400eecbd-6da3-4cdb-8791-fd5f42faade6 deleagtedadmin@example.com       domainAdminConsoleAccountRights
domain       15274f2b-9f64-4bd0-88c9-ec94874d8151 example.com                   usr          400eecbd-6da3-4cdb-8791-fd5f42faade6 deleagtedadmin@example.com       domainAdminAccountRights
domain       15274f2b-9f64-4bd0-88c9-ec94874d8151 example.com                   usr          400eecbd-6da3-4cdb-8791-fd5f42faade6 deleagtedadmin@example.com       adminLoginAs

Managing Distribution list

Granting rights to delegated admin to manage DL

 $ zmprov grr dl newdl1@example.com usr deleagtedadmin@example.com domainAdminDistributionListRights

Viewing rights assigned to DL

$ zmprov gg -t dl newdl1@example.com 0
 target type  target id                            target name                    grantee type grantee id                           grantee name                   right
 ------------ ------------------------------------ ------------------------------ ------------ ------------------------------------ ------------------------------ --------------------
dl           2efe18a9-35a7-4553-9347-a744bb35943a newdl1@example.com            usr        400eecbd-6da3-4cdb-8791-fd5f42faade6 delegatedadmin@example.com       domainAdminDistributionListRights


Examples

1. Delegated admin of example1.com can manage the DL of example2.com

$ zmprov grr dl list@example2.com usr delegatedadmin@example1.com domainAdminDistributionListRights
$ zmprov gg -t dl list@example2.com  
 target type  target id                            target name                    grantee type grantee id                           grantee name                   right
 ------------ ------------------------------------ ------------------------------ ------------ ------------------------------------ ------------------------------ --------------------
 dl           7163e8b2-a192-4898-a76a-36d288523a4a list@example2.com         usr          400eecbd-6da3-4cdb-8791-fd5f42faade6 delegateadmin@example1.com       domainAdminDistributionListRights


2. Assigning the delegated admin all the "Global Administrator" rights except "view mail" option.

Admin Views

$ zmprov ma delegatedadmin@example.com zimbraAdminConsoleUIComponents accountListView  zimbraAdminConsoleUIComponents DLListView zimbraAdminConsoleUIComponents aliasListView zimbraAdminConsoleUIComponents resourceListView zimbraAdminConsoleUIComponents COSListView zimbraAdminConsoleUIComponents domainListView zimbraAdminConsoleUIComponents serverListView zimbraAdminConsoleUIComponents zimletListView zimbraAdminConsoleUIComponents adminZimletListView zimbraAdminConsoleUIComponents globalConfigView zimbraAdminConsoleUIComponents globalServerStatusView zimbraAdminConsoleUIComponents helpSearch zimbraAdminConsoleUIComponents saveSearch zimbraAdminConsoleUIComponents mailQueue zimbraAdminConsoleUIComponents backupsView zimbraAdminConsoleUIComponents certsView zimbraAdminConsoleUIComponents softwareUpdatesView zimbraAdminConsoleUIComponents bulkProvisionTasksView zimbraAdminConsoleUIComponents perServerStatisticsView zimbraAdminConsoleUIComponents globalPermissionView zimbraAdminConsoleUIComponents rightListView 


Granting the rights

zmprov grr domain example.com usr delegatedadmin@example.com domainAdminRights
zmprov grr global usr delegatedadmin@example.com domainAdminRights	
zmprov grr global usr delegatedadmin@example.com adminConsoleAliasRights
zmprov grr global usr delegatedadmin@example.com adminConsoleDomainRights
zmprov grr global usr delegatedadmin@example.com adminConsoleCOSRights
zmprov grr global usr delegatedadmin@example.com adminConsoleServerStatusRights
zmprov grr global usr delegatedadmin@example.com adminConsoleResourceRights
zmprov grr global usr delegatedadmin@example.com adminConsoleSoftwareUpdatesRights
zmprov grr global usr delegatedadmin@example.com adminConsoleServerStatisticRights
zmprov grr global usr delegatedadmin@example.com adminConsoleExtensionRights	
zmprov grr global usr delegatedadmin@example.com adminConsoleBackupRights
zmprov grr global usr delegatedadmin@example.com adminConsoleMigrationRights
zmprov grr global usr delegatedadmin@example.com adminConsoleMailQueueRights
zmprov grr global usr delegatedadmin@example.com adminConsoleSavedSearchRights
zmprov grr global usr delegatedadmin@example.com adminConsoleDLRights
zmprov grr global usr delegatedadmin@example.com adminConsoleCertificateRights
zmprov grr global usr delegatedadmin@example.com adminConsoleGlobalRights
zmprov grr global usr delegatedadmin@example.com adminConsoleGlobalACLTabRights
zmprov grr global usr delegatedadmin@example.com adminConsoleServerRights
zmprov grr global usr delegatedadmin@example.com adminConsoleAccountRights
zmprov grr global usr delegatedadmin@example.com adminConsoleZimletRights


3. Revoking domainAdminRights from delegated admin

$zmprov gg -t domain example.com              
target type  target id                            target name                    grantee type grantee id                           grantee name                   right
------------ ------------------------------------ ------------------------------ ------------ ------------------------------------ ------------------------------ --------------------
domain       3c8de9e0-8228-4b48-931e-bc1b040683ed example.com                  usr          928c917e-ed9d-453c-84e0-a7d1da86cf14 delegatedadmin@example.com    domainAdminRights


$zmprov rvr domain example.com usr delegatedadmin@example.com domainAdminRights
$zmprov gg -t domain example.com
target type  target id                            target name                    grantee type grantee id                           grantee name                   right
------------ ------------------------------------ ------------------------------ ------------ ------------------------------------ ------------------------------ --------------------


4. Delegated Administrator allowed to manage calendar resource

$ zmprov grr calresource projector@example.com  usr delegatedadmin@example.com domainAdminCalendarResourceRights
$ zmprov gg -t calresource projector@example.com 
target type  target id                            target name                    grantee type grantee id                           grantee name                   right
------------ ------------------------------------ ------------------------------ ------------ ------------------------------------ ------------------------------ --------------------
calresource  19363368-4e64-43d7-bc7e-832b91c3bd93 projector@example.com         usr          400eecbd-6da3-4cdb-8791-fd5f42faade6 delegatedadmin@example.com       domainAdminCalendarResourceRights

Miscellaneous commands

To get all acccount rights:-

$ zmprov gar account

To get effective rights for domain admin:-

$ zmprov ger account deleagtedadmin@example.com

To get all DL rights:-

$ zmprov gar dl

To get effective rights for distribution list:-

$ zmprov ger dl newdl@example.com

To list global grants

$ zmprov gg -t global
Verified Against: Zimbra Collaboration 7.0 Date Created: 04/16/2014
Article ID: https://wiki.zimbra.com/index.php?title=UmaT-Implementing-Delegated-Administration Date Modified: 2017-07-12



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search