UmaT-Implementing-Delegated-Administration: Difference between revisions
No edit summary |
No edit summary |
||
Line 182: | Line 182: | ||
$ zmprov gg -t calresource projector@example.com | $ zmprov gg -t calresource projector@example.com | ||
target type target id target name grantee type grantee id grantee name right | target type target id target name grantee type grantee id grantee name right | ||
------------ ------------------------------------ ------------------------------ ------------ ------------------------------------ ------------------------------ -------------------- | ------------ ------------------------------------ ------------------------------ ------------ ------------------------------------ ------------------------------ -------------------- | ||
calresource 19363368-4e64-43d7-bc7e-832b91c3bd93 projector@example.com usr 400eecbd-6da3-4cdb-8791-fd5f42faade6 delegatedadmin@example.com domainAdminCalendarResourceRights | calresource 19363368-4e64-43d7-bc7e-832b91c3bd93 projector@example.com usr 400eecbd-6da3-4cdb-8791-fd5f42faade6 delegatedadmin@example.com domainAdminCalendarResourceRights | ||
Revision as of 08:32, 12 December 2011
Work in Progress
The Delegated Administration feature lets you create different delegated administrator roles to manage your ZCS environment. Please refer the 'Delegated Administration' section in Administrator guide to understand the basic terminologies.
Below are the guidelines to manage the distribution list through CLI.
1. Create domain
$ zmprov cd domain.com zimbraAuthMech zimbra
2. Create the delegated admin
$ zmprov ca delegatedadmin@example.com <passwd> zimbraIsDelegatedAdminAccount TRUE
3. Admin views
Below are list of Admin view's available which can be assigned to delegated admin.
Account LIst View : accountListView Distribution List View : DLListView Alias LIst View : aliasListView Resource List View : resourceListView Class of Service LIst View : COSListView Domain List View : domainListView Server List View : serverListView Zimlet List View : zimletListView Admin Zimlet List View : adminZimletListView Global Settings View : globalConfigView Global Server Status View : globalServerStatusView Help Search View : helpSearch Saved Searches View : saveSearch Mail Queue View : mailQueue Backups View : backupsView Certificates View : certsView Software Updates : softwareUpdatesView Account Migration : bulkProvisionTasksView Per Server Statistics View : perServerStatisticsView Global ACL View : globalPermissionView Right List View : rightListView
3.1 Assigning the admin view
$ zmprov ma delegatedadmin@example.com zimbraAdminConsoleUIComponents accountListView zimbraAdminConsoleUIComponents DLListView zimbraAdminConsoleUIComponents COSListView
$ zmprov ga delegatedadmin@example.com | grep -i view zimbraAdminConsoleUIComponents: accountListView zimbraAdminConsoleUIComponents: DLListView zimbraAdminConsoleUIComponents: COSListView
3.2 Revoking admin view
caution: If you want to revoke the COS list view, then you need to run the full command expect appending the revoking component 'COSListView'
$ zmprov ma delegatedadmin@example.com zimbraAdminConsoleUIComponents accountListView zimbraAdminConsoleUIComponents DLListView
$ zmprov ga delegatedadmin@domain.com | grep -i view zimbraAdminConsoleUIComponents: accountListView zimbraAdminConsoleUIComponents: DLListView
4. Configure Grants on Administrator Accounts
4.1 Manage Domains
4.1.1 Granting the rights to manage domains.
Syntax:
grantRight(grr) {target-type} [{target-id|target-name}] {grantee-type} [{grantee-id|grantee-name} [secret]] {[-]right}
Example
$ zmprov grr domain example.com usr delegatedadmin@domain.com domainAdminRights
4.1.2 View grants
Syntax:
getGrants(gg) [-t {target-type} [{target-id|target-name}]] [-g {grantee-type} {grantee-id|grantee-name} [{0|1 (whether to include grants granted to groups the grantee belongs)}]]
Example
$ zmprov gg -t example.com target type target id target name grantee type grantee id grantee name right ------------ ------------------------------------ ------------------------------ ------------ ------------------------------------ ------------------------------ -------------------- domain 15274f2b-9f64-4bd0-88c9-ec94874d8151 example.com grp f05e6210-1c19-42cb-9ab5-bccd7a045cb7 zimbradomainadmins@example.com +domainAdminConsoleRights domain 15274f2b-9f64-4bd0-88c9-ec94874d8151 example.com usr 400eecbd-6da3-4cdb-8791-fd5f42faade6 deleagtedadmin@example.com domainAdminConsoleRights domain 15274f2b-9f64-4bd0-88c9-ec94874d8151 example.com usr 928c917e-ed9d-453c-84e0-a7d1da86cf14 deleagtedadmin@example.com domainAdminRights domain 15274f2b-9f64-4bd0-88c9-ec94874d8151 example.com usr 400eecbd-6da3-4cdb-8791-fd5f42faade6 deleagtedadmin@example.com domainAdminRights domain 15274f2b-9f64-4bd0-88c9-ec94874d8151 example.com usr 400eecbd-6da3-4cdb-8791-fd5f42faade6 deleagtedadmin@example.com domainAdminConsoleAccountRights domain 15274f2b-9f64-4bd0-88c9-ec94874d8151 example.com usr 400eecbd-6da3-4cdb-8791-fd5f42faade6 deleagtedadmin@example.com domainAdminAccountRights domain 15274f2b-9f64-4bd0-88c9-ec94874d8151 example.com usr 400eecbd-6da3-4cdb-8791-fd5f42faade6 deleagtedadmin@example.com adminLoginAs
4.2 Managing Distribution list
4.2.1 Granting rights to delegated admin to manage DL
$ zmprov grr dl newdl1@example.com usr deleagtedadmin@example.com domainAdminDistributionListRights
4.2.2 Viewing rights assigned to DL
$ zmprov gg -t dl newdl1@example.com 0 target type target id target name grantee type grantee id grantee name right ------------ ------------------------------------ ------------------------------ ------------ ------------------------------------ ------------------------------ -------------------- dl 2efe18a9-35a7-4553-9347-a744bb35943a newdl1@example.com usr 400eecbd-6da3-4cdb-8791-fd5f42faade6 delegatedadmin@example.com domainAdminDistributionListRights
Examples:
1. Delegated admin of example1.com can manage the DL of example2.com
$ zmprov grr dl list@example2.com usr delegatedadmin@example1.com domainAdminDistributionListRights
$ zmprov gg -t dl list@example2.com target type target id target name grantee type grantee id grantee name right ------------ ------------------------------------ ------------------------------ ------------ ------------------------------------ ------------------------------ -------------------- dl 7163e8b2-a192-4898-a76a-36d288523a4a list@example2.com usr 400eecbd-6da3-4cdb-8791-fd5f42faade6 delegateadmin@example1.com domainAdminDistributionListRights
2. Assigning the delegated admin all the "Global Administrator" rights except "view mail" option.
Admin Views
$ zmprov ma delegatedadmin@example.com zimbraAdminConsoleUIComponents accountListView zimbraAdminConsoleUIComponents DLListView zimbraAdminConsoleUIComponents aliasListView zimbraAdminConsoleUIComponents resourceListView zimbraAdminConsoleUIComponents COSListView zimbraAdminConsoleUIComponents domainListView zimbraAdminConsoleUIComponents serverListView zimbraAdminConsoleUIComponents zimletListView zimbraAdminConsoleUIComponents adminZimletListView zimbraAdminConsoleUIComponents globalConfigView zimbraAdminConsoleUIComponents globalServerStatusView zimbraAdminConsoleUIComponents helpSearch zimbraAdminConsoleUIComponents saveSearch zimbraAdminConsoleUIComponents mailQueue zimbraAdminConsoleUIComponents backupsView zimbraAdminConsoleUIComponents certsView zimbraAdminConsoleUIComponents softwareUpdatesView zimbraAdminConsoleUIComponents bulkProvisionTasksView zimbraAdminConsoleUIComponents perServerStatisticsView zimbraAdminConsoleUIComponents globalPermissionView zimbraAdminConsoleUIComponents rightListView
Granting the rights
zmprov grr domain example.com usr delegatedadmin@example.com domainAdminRights zmprov grr global usr delegatedadmin@example.com domainAdminRights zmprov grr global usr delegatedadmin@example.com adminConsoleAliasRights zmprov grr global usr delegatedadmin@example.com adminConsoleDomainRights zmprov grr global usr delegatedadmin@example.com adminConsoleCOSRights zmprov grr global usr delegatedadmin@example.com adminConsoleServerStatusRights zmprov grr global usr delegatedadmin@example.com adminConsoleResourceRights zmprov grr global usr delegatedadmin@example.com adminConsoleSoftwareUpdateRights zmprov grr global usr delegatedadmin@example.com adminConsoleServerStatisticRights zmprov grr global usr delegatedadmin@example.com adminConsoleExtensionRights zmprov grr global usr delegatedadmin@example.com adminConsoleBackupRights zmprov grr global usr delegatedadmin@example.com adminConsoleMigrationRights zmprov grr global usr delegatedadmin@example.com adminConsoleMailQueueRights zmprov grr global usr delegatedadmin@example.com adminConsoleSavedSearchRights zmprov grr global usr delegatedadmin@example.com adminConsoleDLRights zmprov grr global usr delegatedadmin@example.com adminConsoleCertificateRights zmprov grr global usr delegatedadmin@example.com adminConsoleGlobalRights zmprov grr global usr delegatedadmin@example.com adminConsoleGlobalACLTabRights zmprov grr global usr delegatedadmin@example.com adminConsoleServerRights zmprov grr global usr delegatedadmin@example.com adminConsoleAccountRights zmprov grr global usr delegatedadmin@example.com adminConsoleZimletRights
3. Revoking domainAdminRights from delegated admin
$zmprov gg -t domain example.com target type target id target name grantee type grantee id grantee name right ------------ ------------------------------------ ------------------------------ ------------ ------------------------------------ ------------------------------ --------------------
domain 3c8de9e0-8228-4b48-931e-bc1b040683ed example.com usr 928c917e-ed9d-453c-84e0-a7d1da86cf14 delegatedadmin@example.com domainAdminRights
$zmprov gg -t domain example.com target type target id target name grantee type grantee id grantee name right ------------ ------------------------------------ ------------------------------ ------------ ------------------------------------ ------------------------------ --------------------
4. Delegated Administrator allowed to manage calendar resource
$ zmprov grr calresource projector@example.com usr delegatedadmin@example.com domainAdminCalendarResourceRights
$ zmprov gg -t calresource projector@example.com
target type target id target name grantee type grantee id grantee name right
------------ ------------------------------------ ------------------------------ ------------ ------------------------------------ ------------------------------ -------------------- calresource 19363368-4e64-43d7-bc7e-832b91c3bd93 projector@example.com usr 400eecbd-6da3-4cdb-8791-fd5f42faade6 delegatedadmin@example.com domainAdminCalendarResourceRights
Miscellaneous commands
To get all acccount rights:-
$ zmprov gar account
To get effective rights for domain admin:-
$ zmprov ger account deleagtedadmin@example.com
To get all DL rights:-
$ zmprov gar dl
To get effective rights for distribution list:-
$ zmprov ger dl newdl@example.com
To list global grants
$ zmprov gg -t global