Administrative Roles Explained#

User Accounts created on the Directory Server can be granted some rights to become an Administrative account, so they can manage the rights assigned to other accounts, the settings of a domain, or a combination of them.

In this page we describe the main pre-built roles (Global Administrators, Domain Administrators, Delegated (Domain) Administrators, User Management (Domain) Administrators, Group Management (Domain) Administrator, Help Desk (Domain) Administrators) and their associated rights. Users that belong to these groups automatically inherit the rights of the group. Pre-built roles are hierarchical, meaning that every role has some peculiar right plus all the rights of the roles below: for example, a Delegated Domain Admin also possesses all rights of User, Group, and Help Desk Administrators.

Except for the Global Administrators, who has access to all domains and setting defined in the Carbonio Admin Panel, all other pre-built roles allow to manage the settings of one domain or a subset of a domain.

Requirements#

These requirements must be satisfied before being able to manage rights.

  1. To be able to use right, a domain must be first initialised from Domains ‣ Manage ‣ Delegated Domain Admins.

    Alternatively, you can initialise a domain from the CLI:

    zextras$ carbonio admin initDomainForDelegation example.com
    

    Replace example.com with the domain to initialise.

  2. User eligible to become Administrators must have the attribute zimbraIsDelegationAdminAccount set to True

Errors during domain initialisation

If during the initialisation you see a red pop up in the Carbonio Admin Panel or the following error message if you issue the command from the CLI:

Admin Auth Token is missing or empty

You can fix this problem by deploying again the CA, issuing the following command as the zextras user

zextras$ zmcertmgr deployca

Then, initialise again the domain

zextras$ carbonio admin initDomainForDelegation example.com

Note

you can also check whether in the log file opt/zextras/mailbox.log you find the message:

ERROR [ZxLink Handler Thread] [] extensions -
javax.net.ssl.SSLHandshakeException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

How to Create an Administrator#

To create Administrators, the procedure is slightly different between Global Admins and administrators.

Global Administrators

To set an account as a Global Administrator, go to Domains ‣ Domain ‣ Accounts, select the account to promote, and on the Administration tab click the Global Administration switch.

../_images/ap-global-admin.png

Fig. 10 Adding a Global Administrator.#

Domain administrators

To grant an account any other Administrator roles, go to Domains ‣ Domain ‣ Accounts, select the account to promote, and on the Administration tab click the Delegated Administration switch, then select the corresponding right:

Role

Right

Domain Admin

__domain_admins@example.com

Delegated Admin

__delegated_admins@example.com

User Management Admin

__user_admins@example.com

Group Admin

__groups_admins@example.com

Help Desk Admin

__helpdesk_admins@example.com

../_images/ap-domain-admins.png

Global Administrators#

Also called Infrastrucure Administrators, they have access to all features in the Carbonio Admin Panel and API, and can manage every aspect of the Carbonio Infrastructure.

Warning

At least one user in your infrastructure needs to be a Global Administrator, but we recommend having at least two.

This is a list of right that are reserved to the Global administrator only. These are related to the Carbonio infrastructure in its whole.

  • Manage Domains

  • Manage Class Of Service

    • Modify COS and Accounts: Enable or disable OTP Management Feature

    • Manage OTPs for Users: Create, delete, and list OTPs

  • Manage Admins and their roles.

  • Manage Global Configuration

    • Theme and Whitelabel setting

    • Default Domain

    • ActiveSync

    • Analytics

  • Manage MTA configuration

    • Blocked extension

    • Enable / Disable Authentication for each node

    • Relay for external delivery

    • Trusted Network

    • Max Size

    • MTA restiction and RBL (smtpd_recipient_restrictions)

  • AS/AV Configuration

    • Kill/Tag score

    • Subject Prefix

    • Update frequency

    • AV archives

    • AV notification setting

  • Proxy Configuration

  • Manage other users, including admins, change their passwords, authenticated as then, manage users shares and settings.

  • Manage infrastrucutre license and Subscription

  • Manage Storage configuration

    • S3 Bucket

    • Server Volumes (primary, secondary, index)

    • HSM policy and settings

  • Manage Backup Configuration

Domain Administrators#

A Domain Admin has full control on the domain and on the lifecycle of the objects of the domain and has the following rights:

  • View and modify Domain attributes except for

    • Assigned Class Of Service

    • Max Account Number

    • Quota (max account quota, aggregate quota)

  • Manage Domain Theme

  • Create, modify and delete other Domain Admin

  • Assing rights to other Domain Admin

  • Manage GALSync users and configuration

  • Manage Domain Authentication settings

  • Manage Domain VirtualHost and Certificate

  • In addition, all the rights of a Delegated (Domain) Admin

  • Manage Analytics at COS and Account level

Delegated (Domain) Administrators#

Delegated (Domain) Administrators has full access to all the settings of a domain, except for infrastructure settings, which are reserved to the Domain Admin. In detail, these are the rights of a Delegated Admin

  • View Domain attributes

  • In addition, all the rights of a User Management (Domain) Admin

User Management (Domain) Administrators#

A User Management Admin has control on lifecycle of the users in the domain. These rights are reserved to a User Management Admin

  • View Domain attributes

  • Create, modify and delete normal accounts except for

    • Mailstore used for the account

  • Modify Accounts: Enable or disable OTP Management Feature

  • Manage OTPs for Users: Create, delete, and list OTPs

  • Manage user Aliases

  • Manage User password policy settings

  • Create, modify and delete normal resources except for

    • Mailstore used for the account

  • Login as other users he can manage

  • Restore Accounts from Backup

  • In addition, all the rights of a Help Desk (Domain) Admin

  • In addition, all the rights of a Group Management (Domain) Admin

Group Management (Domain) Administrator#

A Group Management Admin has control on lifecycle of the distribution list of the domain and possesses these rights

  • View Domain attributes

  • Create, modify and delete distribution list, except for Dynamic Distribution Lists

  • Manage DL Aliases

Help Desk (Domain) Administrators#

Help Desk (Domain) Admins can reset passwords within the domain, including all users but administrators, and manage some user information, both in the Carbonio Admin Panel and via API. In particular, they have these rights

  • View Domain attributes

  • Modify user information such as:

    • personal data

    • user preferences

    • enable or disable activesync access

  • Reset and Assign User Passwords, application credentials, and OTP codes

  • Suspend and Reset ActiveSync sessions

  • Suspend and Reset HTTP/IMAP sessions

  • Undelete emails, calendars, and contacts