Delegated Admin Provisioning

Delegated Admin Provisioning is the set of operations that allow you to grant, edit and revoke Domain Admin rights to a user. These can be performed from the CLI, by running the appropriate command as the zextras user and are summarised below.

Grant Rights

To grant Delegated Admin rights to a user, use the doAddDelegationSettings command.

zxsuite admin doAddDelegationSettings *account* *domain* [param
VALUE[,VALUE]]

Parameter List

NAME

TYPE

EXPECTED VALUES

DEFAULT

account(M)

String

domain(M)

String

viewMail(O)

Boolean

true|false

false

editFeatures(O)

Boolean

true|false

false

adminQuota(O)

String

-1

(M) == mandatory parameter, (O) – optional parameter

Usage Example

zxsuite admin doAddDelegationSettings john@example.com example.com viewMail true adminQuota -1

Adds John as delegated administrator of domain example.com, with the right to view user mail on such domain and no right to grand quotas to users.

Usage Example

zxsuite admin doAddDelegationSettings john@example.com example.com adminQuota 0

Adds John as delegated administrator of domain example.com, with the right to assign unlimited quotas to users.

Usage Example

zxsuite admin doAddDelegationSettings john@example.com example.com adminQuota 10gb

Adds John as delegated administrator of domain example.com, with the right to assign quotas up to 10gb to each user.

Edit Rights

To edit the rights of an existing Delegated Admin, use the doEditDelegationSettings command.

zxsuite admin doEditDelegationSettings *account* *domain* [param
VALUE[,VALUE]]

Parameter List

NAME

TYPE

EXPECTED VALUES

DEFAULT

account(M)

String

domain(M)

String

viewMail(O)

Boolean

true|false

editFeatures(O)

Boolean

true|false

adminQuota(O)

String

(M) == mandatory parameter, (O) – optional parameter

Usage Example

zxsuite admin doEditDelegationSettings john@example.com example.com viewMail true adminQuota -1

Edits John’s delegation rights for domain example.com, with the right to view user mail on such domain and

no right to grand quotas to users.

Usage Example

zxsuite admin doEditDelegationSettings john@example.com example.com adminQuota 0

Edits John’s delegation rights for domain example.com, with the right to assign unlimited quotas to users.

Usage Example

zxsuite admin doEditDelegationSettings john@example.com example.com adminQuota 10gb

Edits John’s delegation rights for domain example.com, with the right to assign quotas up to 10gb to each user.

Revoke Rights

To revoke Delegated Admin rights from a user, use the doRemoveDelegationSettings command:

zxsuite admin doRemoveDelegationSettings *account* *domain*

Parameter List

NAME

TYPE

EXPECTED VALUES

DEFAULT

account(M)

String

domain(M)

String

(M) == mandatory parameter, (O) – optional parameter

Usage Example

zxsuite admin doRemoveDelegationSettings john@example.com example.com

John no longer administers domain example.com

Carbonio Administration as a Delegated Admin

To access the Carbonio Administration, connect with a web browser to https://mail.example.com:6071/login (replace mail.example.com with your domain) and login with your administrator credentials.

Delegated Admin CAN and CAN’T Table

Here is a quick reference of what a Delegated Admin CAN and CAN’T do within the Carbonio Administration interface.

CAN

CAN’T

View the account list of any domain for which they are granted Delegate Admin rights

View the account list belonging to any other domain

Edit any user account in any domain for which they are granted Delegate Admin rights

Edit any user account belonging to any other domain

Edit any alias, distribution list or resource in any domain for which they are granted Delegate Admin rights

Edit any alias, distribution list or resource belonging to any other domain

Edit any Global Admin account

Grant Global Admin or Delegated Admin rights to any user

Create an account on a domain for which they are granted Delegated Admin rights

Create an account on any other domain

Select the Class Of Service of an account between those available for that account’s domain

Arbitrarily set the Class of Service of an account between those available on the server

Edit COS settings

Edit Domain Settings that may interfere with the proper functioning of the server

See or edit any server setting

See or edit any global setting

Delegated Admin Log Browsing

The Carbonio Web interface allows a Global Admin to easily keep track of all Admins’ activity through a search-based graphical log browser that can be accessed from the CarbonioAdmin page

The Filter Log pop-up dialog will open, allowing you to apply some filters to the logs you want to browse.

The available filters are:

Basic filters

Basic filter are of two types:

Admin filters allow to only view operations performed by a single Domain Admin.

Action filters are a class of filters to only view one particular action. Any operation an Administrator can perform is available in the drop-down menu of the Action filter.The following filters all belong to this class.

  • Auth: All authentications.

  • DelegateAuth: All Delegated Authentications, either through the View Mail button or through the -z option of the zmmailbox command.

  • CreateAccount: All account creations.

  • DeleteAccount: All account deletions.

  • Set Password: All mailbox password changes.

  • RemoveAccountAlias: All alias deletions.

  • DeleteDistributionList: All distribution lists deletions.

Note

All of these operations are important both to keep track of the Admin’s activities and for troubleshooting purposes.

Advanced filters

  • Client IP: Filters the logs to only show operations performed from a determined IP address.

  • Show Logins: Select this checkbox to also show when the Domain Admins log in

  • Outcome: Filters the logs to either show all operations, successful operations or failed operations.

  • Start and End: Limits the logs shown to a specific timespan (default: the current day).

Clicking the Details button will apply the selected filters and show the log browser.