Administrative Roles Explained#
User Accounts created on the Directory Server can be granted some rights to become an Administrative account, so they can manage the rights assigned to other accounts, the settings of a domain, or a combination of them.
In this page we describe the main pre-built roles (Global Administrators, Domain Administrators, Delegated (Domain) Administrators, User Management (Domain) Administrators, Group Management (Domain) Administrator, Help Desk (Domain) Administrators) and their associated rights. Users that belong to these groups automatically inherit the rights of the group. Pre-built roles are hierarchical, meaning that every role has some peculiar right plus all the rights of the roles below: for example, a Delegated Domain Admin also possesses all rights of User, Group, and Help Desk Administrators.
Except for the Global Administrators, who has access to all domains and setting defined in the Carbonio Admin Panel, all other pre-built roles allow to manage the settings of one domain or a subset of a domain.
Requirements#
These requirements must be satisfied before being able to manage rights.
-
To be able to use right, a domain must be first initialised from
.Alternatively, you can initialise a domain from the CLI:
zextras$ carbonio admin initDomainForDelegation example.com
Replace example.com with the domain to initialise.
User eligible to become Administrators must have the attribute
zimbraIsDelegationAdminAccount
set to True
If during the initialisation you see a red pop up in the Carbonio Admin Panel or the following error message if you issue the command from the CLI:
Admin Auth Token is missing or empty
You can fix this problem by deploying again the CA, issuing the
following command as the zextras
user
zextras$ zmcertmgr deployca
Then, initialise again the domain
zextras$ carbonio admin initDomainForDelegation example.com
Note
you can also check whether in the log file
opt/zextras/mailbox.log
you find the message:
ERROR [ZxLink Handler Thread] [] extensions -
javax.net.ssl.SSLHandshakeException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
How to Create an Administrator#
To create Administrators, the procedure is slightly different between Global Admins and administrators.
To set an account as a Global Administrator, go to
, select the account to promote, and on the Administration tab click the Global Administration switch.To grant an account any other Administrator roles, go to
, select the account to promote, and on the Administration tab click the Delegated Administration switch, then select the corresponding right:Role |
Right |
---|---|
Domain Admin |
|
Delegated Admin |
|
User Management Admin |
|
Group Admin |
|
Help Desk Admin |
|
Global Administrators#
Also called Infrastrucure Administrators, they have access to all features in the Carbonio Admin Panel and API, and can manage every aspect of the Carbonio Infrastructure.
Warning
At least one user in your infrastructure needs to be a Global Administrator, but we recommend having at least two.
This is a list of right that are reserved to the Global administrator only. These are related to the Carbonio infrastructure in its whole.
|
|
Domain Administrators#
A Domain Admin has full control on the domain and on the lifecycle of the objects of the domain and has the following rights:
|
|
Delegated (Domain) Administrators#
Delegated (Domain) Administrators has full access to all the settings of a domain, except for infrastructure settings, which are reserved to the Domain Admin. In detail, these are the rights of a Delegated Admin
|
|
User Management (Domain) Administrators#
A User Management Admin has control on lifecycle of the users in the domain. These rights are reserved to a User Management Admin
|
|
Group Management (Domain) Administrator#
A Group Management Admin has control on lifecycle of the distribution list of the domain and possesses these rights
|
|
Help Desk (Domain) Administrators#
Help Desk (Domain) Admins can reset passwords within the domain, including all users but administrators, and manage some user information, both in the Carbonio Admin Panel and via API. In particular, they have these rights
|
|