Service: zimbraAdmin

Command: CheckRight
Namespace: urn:zimbraAdmin
Description: Check if a principal has the specified right on target.
A successful return means the principal specified by the <grantee> is allowed for the specified right on the target object.
If PERM_DENIED is thrown, it means the authed user does not have privilege to run this SOAP command (has to be an admin because this command is in admin namespace).
Result of CheckRightRequest is in the allow="1|0" attribute in CheckRightResponse. If a specific grant decisively lead to the result, details of it are specified in <via> in the <CheckRightResponse>.

e.g. if a combo right C containing renameAccount is granted to group G on domain D, and admin A is in group G, then: 
            <CheckRightRequest>
               <target type="account"> by="name">user1@D</target>
               <grantee by="name">admin@D</grantee>
               <right>renameAccount</right>
            </CheckRightRequest>
will return: 
            <CheckRightResponse allow="1">
               <via>
                 <target type=domain>D</target>
                 <grantee type=grp>G</grantee>
                 <right>C</right>
               </via>
            </CheckRightResponse>

Note, <via> is optional. If the right of interest is not granted at all, there will be no <via> in the response. Also, <via> will probably be hairy for rights that modify/get selective attrs, it may not be returned for those rights. TDB...
e.g. 
       <CheckRightRequest>
           <target type="account"> by="name">user1@D</target>
           <grantee by="name">admin@D</grantee>
           <right>configureQuota</right>
           <attrs>
               <a n="zimbraMailQuota">100000</a>
               <a n="zimbraQuotaWarnPercent">80</a>
           <attrs>
       </CheckRightRequest>

       <CheckRightResponse allow="0">
Properties:
Authorization token required true
Admin Authorization token required true

CheckRightRequest

    <CheckRightRequest> ## CheckRightRequest
        <target
                   type="{target-type} (account | calresource | cos | dl | group | domain | server | xmppcomponent | zimlet | config | global)"
                   [by="{target-selector-by} (id | name)"]>{value}</target> ## EffectiveRightsTargetSelector
        <grantee [type="{grantee-type} (usr | grp | egp | all | dom | edom | gst | key | pub | email)"]
                    [by="{grantee-selector-by} (id | name)"] [secret="{secret}"] [all="{all-flag} (0|1)"]>{key}</grantee> ## GranteeSelector
        <right>{value}</right> ## CheckedRight
        (<a n="{key}" /> ## Attr)*
    </CheckRightRequest>

elements and attributes you can define within a <CheckRightRequest> element:

XPath Required / Optional Description
/target Required (only 1) Type: {value}
Target
Description for element text content:The key used to identify the target. Meaning determined by {target-selector-by}
/target@type Required (only 1) Type: account | calresource | cos | dl | group | domain | server | xmppcomponent | zimlet | config | global
Target type
/target@by Optional (0 or 1) Type: id | name
Select the meaning of {target-selector-key}
/grantee Required (only 1) Type: {key}
Grantee - valid values for type are "usr" and "email"
Description for element text content:The key used to identify the grantee. Meaning determined by {grantee-selector-by}
/grantee@type Optional (0 or 1) Type: usr | grp | egp | all | dom | edom | gst | key | pub | email
Grantee type
usr Zimbra User
grp Zimbra Group (distribution list)
egp an external AD group
dom Zimbra domain
edom non-Zimbra domain (used with sendToDistList right)
all all authenticated users
gst non-Zimbra email address and password
key external user with accesskey
pub public authenticated and unauthenticated access
email Pseudo grantee type. Granting code will map to usr/grp/egp or gst
/grantee@by Optional (0 or 1) Type: id | name
Select the meaning of {grantee-selector-key}
/grantee@secret Optional (0 or 1) Type: String
Password for guest grantee or the access key for key grantee For user right only
/grantee@all Optional (0 or 1) Type: 0|1
For GetGrantsRequest, selects whether to include grants granted to groups the specified grantee belongs to. Default is 1 (true)
/right Required (only 1) Type: {value}
Checked Right
Description for element text content:Name of right
/a Optional (0 or more) Attributes
/a@n Required (only 1) Type: String
Key

CheckRightResponse

    <CheckRightResponse allow="(0|1)"> ## CheckRightResponse
        <via> ## RightViaInfo
            <target type="{target-type}">{value}</target> ## TargetWithType
            <grantee type="{target-type}">{value}</grantee> ## GranteeWithType
            <right>{value}</right> ## CheckedRight
         </via>
    </CheckRightResponse>

elements and attributes you can define within a <CheckRightResponse> element:

XPath Required / Optional Description
@allow Required (only 1) Type: 0|1
Result of the CheckRightRequest
/via Optional (0 or 1) Via information for the grant that decisively lead to the result
/via/target Required (only 1) Type: {value}
Target
Description for element text content:Value matching {target-type} if this is part of a response (otherwise blank)
/via/target@type Required (only 1) Type: String
Target type
/via/grantee Required (only 1) Type: {value}
Grantee
Description for element text content:Target name
/via/grantee@type Required (only 1) Type: String
Target type
/via/right Required (only 1) Type: {value}
Checked right
Description for element text content:Name of right
 
© Copyright , The Zextras Team. All rights reserved.