Overview Service Command

Service: zimbraAdmin

Command: GetEffectiveRights
Namespace: urn:zimbraAdmin
Description: Returns effective ADMIN rights the authenticated admin has on the specified target entry.

Effective rights are the rights the admin is actually allowed. It is the net result of applying ACL checking rules given the target and grantee. Specifically denied rights will not be returned.

The result can help the admin console decide on what tabs to display after a target is selected. For example, after user1 is selected, if the admin does not have right to setPassword, it should probably hide or gray out the setPassword tab.
e.g. 
     <GetEffectiveRightsRequest>
       <target type="account" by="id">bba95d7d-0b13-401f-a343-03a8f5a96f7c"/>
       <grantee by="name">admin@test.com</grantee>
     </GetEffectiveRightsRequest>

     <GetEffectiveRightsResponse>
       <grantee name="admin@test.com</grantee" id=""/>
       <target type="account" name="user1@test.com" id="bba95d7d-0b13-401f-a343-03a8f5a96f7c">
         <right n="setPassword"/>
         <right n="renameAccount"/>
         <right n="deleteAccount"/>
         <setAttrs>
           <a n="zimbraMailQuota" min="100000000"/>
           <a n="zimbraMailStatus"/>
           <a n="zimbraFeatureMailEnabled" values="TRUE,FALSE"/>
           ...
         </setAttrs>
         <getAttrs>
           <a n="..."/>
           <a n="..."/>
           ...
         </getAttrs>
       </target>
     </GetEffectiveRightsRequest>
Properties:
Authorization token required true
Admin Authorization token required true

GetEffectiveRightsRequest

    <GetEffectiveRightsRequest [expandAllAttrs="{expand-all-attrs}"]> ## GetEffectiveRightsRequest
        <target
                   type="{target-type} (account | calresource | cos | dl | group | domain | server | xmppcomponent | zimlet | config | global)"
                   [by="{target-selector-by} (id | name)"]>{value}</target> ## EffectiveRightsTargetSelector
        <grantee [type="{grantee-type} (usr | grp | egp | all | dom | edom | gst | key | pub | email)"]
                     [by="{grantee-selector-by} (id | name)"] [secret="{secret}"] [all="{all-flag} (0|1)"]>{key}</grantee> ## GranteeSelector
    </GetEffectiveRightsRequest>

elements and attributes you can define within a <GetEffectiveRightsRequest> element:

XPath Required / Optional Description
@expandAllAttrs Optional (0 or 1) Type: String
Whether to include all attribute names in the <getAttrs>/<setAttrs> elements in the response if all attributes of the target are gettable/settable Valid values are:
getAttrs expand attrs in getAttrs in the response
setAttrs expand attrs in setAttrs in the response
getAttrs,setAttrs expand attrs in both getAttrs and setAttrs in the response
/target Required (only 1) Type: {value}
Target
Description for element text content:The key used to identify the target. Meaning determined by {target-selector-by}
/target@type Required (only 1) Type: account | calresource | cos | dl | group | domain | server | xmppcomponent | zimlet | config | global
Target type
/target@by Optional (0 or 1) Type: id | name
Select the meaning of {target-selector-key}
/grantee Optional (0 or 1) Type: {key}
Grantee. If <grantee> is omitted, the account identified by the auth token is regarded as the grantee.
Description for element text content:The key used to identify the grantee. Meaning determined by {grantee-selector-by}
/grantee@type Optional (0 or 1) Type: usr | grp | egp | all | dom | edom | gst | key | pub | email
Grantee type
usr Zimbra User
grp Zimbra Group (distribution list)
egp an external AD group
dom Zimbra domain
edom non-Zimbra domain (used with sendToDistList right)
all all authenticated users
gst non-Zimbra email address and password
key external user with accesskey
pub public authenticated and unauthenticated access
email Pseudo grantee type. Granting code will map to usr/grp/egp or gst
/grantee@by Optional (0 or 1) Type: id | name
Select the meaning of {grantee-selector-key}
/grantee@secret Optional (0 or 1) Type: String
Password for guest grantee or the access key for key grantee For user right only
/grantee@all Optional (0 or 1) Type: 0|1
For GetGrantsRequest, selects whether to include grants granted to groups the specified grantee belongs to. Default is 1 (true)

GetEffectiveRightsResponse

    <GetEffectiveRightsResponse> ## GetEffectiveRightsResponse
        <grantee [type="{grantee-type} (usr | grp | egp | all | dom | edom | gst | key | pub | email)"]
                    id="{grantee-id}" name="{grantee-name}" /> ## GranteeInfo
        <target
                   type="{target-type} (account | calresource | cos | dl | group | domain | server | xmppcomponent | zimlet | config | global)"
                   id="{target-id}" name="{target-name}"> ## EffectiveRightsTargetInfo
            (<right [n="{right-name}"] /> ## RightWithName)*
            <setAttrs [all="{all-attrs-accessible} (0|1)"]> ## EffectiveAttrsInfo
                (<a n="{attribute-name}"> ## EffectiveAttrInfo
                    <constraint> ## ConstraintInfo
                        <min>{min} (String)</min>
                        <max>{max} (String)</max>
                        <values>
                            (<v>{values} (String)</v>)*
                        </values>
                     </constraint>
                    <default>
                        (<v>{values} (String)</v>)*
                    </default>
                  </a>)*
            </setAttrs>
            <getAttrs [all="{all-attrs-accessible} (0|1)"]> ... </getAttrs> ## See /target/setAttrs [ ## EffectiveAttrsInfo]
        </target>
    </GetEffectiveRightsResponse>

elements and attributes you can define within a <GetEffectiveRightsResponse> element:

XPath Required / Optional Description
/grantee Required (only 1) Information about grantee
/grantee@type Optional (0 or 1) Type: usr | grp | egp | all | dom | edom | gst | key | pub | email
Grantee type
/grantee@id Required (only 1) Type: String
Grantee ID
/grantee@name Required (only 1) Type: String
Grantee name
/target Required (only 1) Information about target
/target@type Required (only 1) Type: account | calresource | cos | dl | group | domain | server | xmppcomponent | zimlet | config | global
Target type
/target@id Required (only 1) Type: String
ID
/target@name Required (only 1) Type: String
Name
/target/right Optional (0 or more) Rights
/target/right@n Optional (0 or 1) Type: String
Right name
/target/setAttrs Required (only 1) All attributes that can be set
/target/setAttrs@all Optional (0 or 1) Type: 0|1
Flags whether all attributes on the target entry are accessible.
if set, no <a> elements will appear under the <setAttrs>/<getAttrs>
/target/setAttrs/a Optional (0 or more) Attributes
/target/setAttrs/a@n Required (only 1) Type: String
Attribute name
/target/setAttrs/a/constraint Optional (0 or 1) Constraint information
/target/setAttrs/a/constraint/min Optional (0 or 1) Type: {min} (String)
Minimum value
/target/setAttrs/a/constraint/max Optional (0 or 1) Type: {max} (String)
Maximum value
/target/setAttrs/a/constraint/values Required (only 1)
/target/setAttrs/a/constraint/values/v Optional (0 or more) Type: {values} (String)
/target/setAttrs/a/default Required (only 1)
/target/setAttrs/a/default/v Optional (0 or more) Type: {values} (String)
/target/getAttrs Required (only 1) All attributes that can be got
See /target/setAttrs for more details.
 
© Copyright , The Zextras Team. All rights reserved.