Delegated Admin Provisioning
Delegated Admin Provisioning is the set of operations that allow you
to grant, edit and revoke Domain Admin rights to a user. These
can be performed from the CLI, by running the appropriate command as
the zextras
user and are summarised below.
Grant Rights
To grant Delegated Admin rights to a user, use the
doAddDelegationSettings
command.
zxsuite admin doAddDelegationSettings *account* *domain* [param
VALUE[,VALUE]]
Parameter List
NAME |
TYPE |
EXPECTED VALUES |
DEFAULT |
account(M) |
String |
||
domain(M) |
String |
||
viewMail(O) |
Boolean |
true|false |
false |
editFeatures(O) |
Boolean |
true|false |
false |
adminQuota(O) |
String |
-1 |
(M) == mandatory parameter, (O) – optional parameter
Usage Example
zxsuite admin doAddDelegationSettings john@example.com example.com viewMail true adminQuota -1
Adds John as delegated administrator of domain example.com, with the right to view user mail on such domain and no right to grand quotas to users.
Usage Example
zxsuite admin doAddDelegationSettings john@example.com example.com adminQuota 0
Adds John as delegated administrator of domain example.com, with the right to assign unlimited quotas to users.
Usage Example
zxsuite admin doAddDelegationSettings john@example.com example.com adminQuota 10gb
Adds John as delegated administrator of domain example.com, with the right to assign quotas up to 10gb to each user.
Edit Rights
To edit the rights of an existing Delegated Admin, use the
doEditDelegationSettings
command.
zxsuite admin doEditDelegationSettings *account* *domain* [param
VALUE[,VALUE]]
Parameter List
NAME |
TYPE |
EXPECTED VALUES |
DEFAULT |
account(M) |
String |
||
domain(M) |
String |
||
viewMail(O) |
Boolean |
true|false |
|
editFeatures(O) |
Boolean |
true|false |
|
adminQuota(O) |
String |
(M) == mandatory parameter, (O) – optional parameter
Usage Example
zxsuite admin doEditDelegationSettings john@example.com example.com viewMail true adminQuota -1
Edits John’s delegation rights for domain example.com, with the right to view user mail on such domain and
no right to grand quotas to users.
Usage Example
zxsuite admin doEditDelegationSettings john@example.com example.com adminQuota 0
Edits John’s delegation rights for domain example.com, with the right to assign unlimited quotas to users.
Usage Example
zxsuite admin doEditDelegationSettings john@example.com example.com adminQuota 10gb
Edits John’s delegation rights for domain example.com, with the right to assign quotas up to 10gb to each user.
Revoke Rights
To revoke Delegated Admin rights from a user, use the
doRemoveDelegationSettings
command:
zxsuite admin doRemoveDelegationSettings *account* *domain*
Parameter List
NAME |
TYPE |
EXPECTED VALUES |
DEFAULT |
account(M) |
String |
||
domain(M) |
String |
(M) == mandatory parameter, (O) – optional parameter
Usage Example
zxsuite admin doRemoveDelegationSettings john@example.com example.com
John no longer administers domain example.com
Carbonio Administration as a Delegated Admin
To access the Carbonio Administration, connect with a web browser to https://mail.example.com:6071/login (replace mail.example.com with your domain) and login with your administrator credentials.
Delegated Admin CAN and CAN’T Table
Here is a quick reference of what a Delegated Admin CAN and CAN’T do within the Carbonio Administration interface.
CAN |
CAN’T |
---|---|
View the account list of any domain for which they are granted Delegate Admin rights |
View the account list belonging to any other domain |
Edit any user account in any domain for which they are granted Delegate Admin rights |
Edit any user account belonging to any other domain |
Edit any alias, distribution list or resource in any domain for which they are granted Delegate Admin rights |
Edit any alias, distribution list or resource belonging to any other domain |
Edit any Global Admin account |
|
Grant Global Admin or Delegated Admin rights to any user |
|
Create an account on a domain for which they are granted Delegated Admin rights |
Create an account on any other domain |
Select the Class Of Service of an account between those available for that account’s domain |
Arbitrarily set the Class of Service of an account between those available on the server |
Edit COS settings |
|
Edit Domain Settings that may interfere with the proper functioning of the server |
|
See or edit any server setting |
|
See or edit any global setting |
Delegated Admin Log Browsing
The Carbonio Web interface allows a Global Admin to easily keep track of all
Admins’ activity through a search-based graphical log browser that can
be accessed from the CarbonioAdmin
page
The Filter Log pop-up dialog will open, allowing you to apply some filters to the logs you want to browse.
The available filters are:
Basic filters
Basic filter are of two types:
Admin filters allow to only view operations performed by a single Domain Admin.
Action filters are a class of filters to only view one particular action. Any operation an Administrator can perform is available in the drop-down menu of the Action filter.The following filters all belong to this class.
Auth: All authentications.
DelegateAuth: All Delegated Authentications, either through the View Mail button or through the
-z
option of the zmmailbox command.CreateAccount: All account creations.
DeleteAccount: All account deletions.
Set Password: All mailbox password changes.
RemoveAccountAlias: All alias deletions.
DeleteDistributionList: All distribution lists deletions.
Note
All of these operations are important both to keep track of the Admin’s activities and for troubleshooting purposes.
Advanced filters
Client IP: Filters the logs to only show operations performed from a determined IP address.
Show Logins: Select this checkbox to also show when the Domain Admins log in
Outcome: Filters the logs to either show all operations, successful operations or failed operations.
Start and End: Limits the logs shown to a specific timespan (default: the current day).
Clicking the Details button will apply the selected filters and show the log browser.