Zextras Admin

Delegated Admin Provisioning

What is Delegated Admin Provisioning?

Delegated Admin Provisioning is the set of operations that allow you to grant, edit and revoke Domain Admin rights to a user.

All Delegated Admin Provisioning operations can be performed:

  • From the Zextras Admin tab of the Administration Zimlet

  • From the CLI, running the appropriate zxsuite command as the zimbra user

Granting Delegated Admin Rights to a User

From the Administration Zimlet

In the Delegated Admins section of the Zextras Admin tab in the Administration Zimlet, click the Add button.

You will be be prompted for the following information:

  • Account: The email address to which you want to grant Delegated Admin rights.

  • Domain: The domain on which the Delegated Admin will have control.

  • Delegated Auth: Check this box to allow the Delegated Admin to use the View Mail features on any mailbox in the selected domain.

  • Grant Limit: The maximum mailbox quota this Delegated Admin can assign to a user.

  • Edit Features: Defines whether the Delegated Admin is able to edit the contents of the Features tab for its assigned users.

Warning

If the Domain Quota is lower than the Grant Limit, the Grant Limit value will be ignored. Disk space and Quota limits can be entered in Gigabytes (gb), Megabytes (mb) or Kilobytes (kb).

From the CLI

To grant Delegated Admin rights to a user, use the doAddDelegationSettings command.

zxsuite admin doAddDelegationSettings *account* *domain* [param
VALUE[,VALUE]]

Parameter List

NAME

TYPE

EXPECTED VALUES

DEFAULT

account(M)

String

domain(M)

String

viewMail(O)

Boolean

true|false

false

editFeatures(O)

Boolean

true|false

false

adminQuota(O)

String

-1

(M) == mandatory parameter, (O) – optional parameter

Usage Example

zxsuite admin doAddDelegationSettings john@example.com example.com viewMail true adminQuota -1

Adds John as delegated administrator of domain example.com, with the right to view user mail on such domain and no right to grand quotas to users.

Usage Example

zxsuite admin doAddDelegationSettings john@example.com example.com adminQuota 0

Adds John as delegated administrator of domain example.com, with the right to assign unlimited quotas to users.

Usage Example

zxsuite admin doAddDelegationSettings john@example.com example.com adminQuota 10gb

Adds John as delegated administrator of domain example.com, with the right to assign quotas up to 10gb to each user.

Editing the Rights of an Existing Delegated Admin

From the Administration Zimlet

In the Delegated Admins section of the Zextras Admin tab in the Administration Zimlet, select an entry in the list and click the Edit button.

You can also double click an entry on the list to edit it.

From the CLI

To edit the rights of an existing Delegated Admin, use the doEditDelegationSettings command.

zxsuite admin doEditDelegationSettings *account* *domain* [param
VALUE[,VALUE]]

Parameter List

NAME

TYPE

EXPECTED VALUES

DEFAULT

account(M)

String

domain(M)

String

viewMail(O)

Boolean

true|false

editFeatures(O)

Boolean

true|false

adminQuota(O)

String

(M) == mandatory parameter, (O) – optional parameter

Usage Example

zxsuite admin doEditDelegationSettings john@example.com example.com viewMail true adminQuota -1

Edits John’s delegation rights for domain example.com, with the right to view user mail on such domain and

no right to grand quotas to users.

Usage Example

zxsuite admin doEditDelegationSettings john@example.com example.com adminQuota 0

Edits John’s delegation rights for domain example.com, with the right to assign unlimited quotas to users.

Usage Example

zxsuite admin doEditDelegationSettings john@example.com example.com adminQuota 10gb

Edits John’s delegation rights for domain example.com, with the right to assign quotas up to 10gb to each user.

Revoke Delegated Admin Rights from a User

From the Administration Zimlet

In the Delegated Admins section of the Zextras Admin Tab in the Administration Zimlet, select an entry in the list and click the Delete button.

From the CLI

To revoke Delegated Admin rights from a user, use the doRemoveDelegationSettings command:

zxsuite admin doRemoveDelegationSettings *account* *domain*

Parameter List

NAME

TYPE

EXPECTED VALUES

DEFAULT

account(M)

String

domain(M)

String

(M) == mandatory parameter, (O) – optional parameter

Usage Example

zxsuite admin doRemoveDelegationSettings john@example.com example.com

John no longer administers domain example.com

Quota Management

What is Quota Management?

Zextras Admin allows the Global Administrator to set two different types of quota limits: the Grant Limit and the Domain Quota.

Neither the Domain Quota nor the Grant Limit are mandatory, meaning that a Delegated Admin can be allowed to grant any quota to a user and that a domain can lack a maximum quota limit.

The Grant Limit

The Grant Limit is one of the properties of a Delegated Admin.

It specifies the maximum mailbox quota that the Delegated Admin can grant to a mailbox and can be set and changed in the Delegated Admin’s settings.

Three options are available:

  • None: The Delegated Admin cannot edit the Quota attribute of a mailbox.

  • Custom: The Delegated Admin can grant up to the specified value. This overrides any domain/COS quota setting.

  • Unlimited: The Delegated Admin can grant any quota to the mailbox. This overrides any domain/COS quota setting.

The Domain Quota

The Domain Quota is a property that specifies the maximum mailbox quota that any Administrator can grant to a mailbox in the domain.

Warning

Assigning an unlimited quota to a mailbox will override the Domain Quota setting.

Grant Limit vs Domain Quota

The Grant Limit and Domain Quota properties are mutually exclusive on a restrictive basis.

This means that the following scenarios may occur:

  • A Global Admin grants a user a higher quota than the allowed Domain Quota.

    Since the Domain Quota applies to a given domain, not to a given Admin, the effective quota for the user will be the maximum quota allowed by the Domain Quota setting.

  • A Delegated Admin grants a user a higher quota than the allowed Domain Quota

    In this case, the effective quota for the user will be the maximum quota allowed by the Domain Quota setting, even if the Delegated Admin’s Grant Limit is higher than the Domain Quota.

  • A Delegated Admin’s Grant Limit is lower than the Domain Quota

    In this case, the maximum quota that the Delegated Admin can grant to a user will be the one defined by the Grant Limit, even if the Domain Quota is higher. A Global Admin, which is not bound to any Grant Limit restriction, will be allowed to assign any mailbox quota to the user up to the limit allowed by the Domain Quota.

Domain Limits

What is Domain Limit Management (a.k.a. Domain Settings)?

Domain Limit Management is a feature of the Zextras Admin module. It allows a Global Administrator to set domain level limits that cannot be exceeded by any Administrator.

The only way to exceed a Domain Limit is to change the Domain Limit itself.

Domain Limits

  • Global Account Limit: The maximum number of accounts that can be created on this domain.

  • Domain Quota: The maximum mailbox quota that any Administrator can grant to a mailbox in the domain.

  • COS Limits: Define which Classes of Service can be used for users in the domain and the maximum number of users per Class of Service.

Edit the Limits of a Domain

From the Administration Zimlet

All the domains in the Zimbra infrastructure are listed in the Domain Settings list in the Zextras Admin tab of the Administration Zimlet.

To edit the limits of a domain, select the domain from the Domain Settings list and press the Edit button.

From the CLI

To edit the limits of a domain through the CLI, use the setDomainSettings command.

zxsuite admin setDomainSettings *domain* [param VALUE[,VALUE]]

Parameter List

NAME

TYPE

EXPECTED VALUES

DEFAULT

domain(M)

String

a ccount_limit(O)

Integer

no action

domain_a ccount_quota(O)

String

no action

rese t_cos_limits(O)

String

c osname1:limit1, cosname2:limit2

no action

ad d_cos_limits(O)

String

c osname1:limit1, cosname2:limit2

no action

(M) == mandatory parameter, (O) – optional parameter

Usage Example

zxsuite admin setDomainSettings example.com account_limit 100 domain_account_quota 100mb reset_cos_limits cos1:30,cos2:80

Sets a global account limit on the domain example.com of 100 accounts, with a domain account quota of 100 megabytes,

and with cos account limits of 30 for cos1 and 80 for cos2 (removing other cos settings).

Usage Example

zxsuite admin setDomainSettings example.com add_cos_limits cos1:30

Sets cos account limits of 30 for cos1 (leaving other cos settings unchanged).

Reset the Limits of a Domain

From the Administration Zimlet

All the domains in the Zimbra infrastructure are listed in the Domain Settings list in the Zextras Admin tab of the Administration Zimlet.

To reset the limits of a domain, select the domain from the Domain Settings list and press the Reset button, then click Ok in the confirmation pop-up.

From the CLI

To reset the limits of a Domain through the CLI, use the resetDomainSettings command:

zxsuite admin resetDomainSettings *domain*

Parameter List

NAME

TYPE

EXPECTED VALUES

DEFAULT

domain(M)

String

(M) == mandatory parameter, (O) – optional parameter

Usage Example

zxsuite admin resetDomainSettings

Zimbra Administration as a Delegated Admin

Accessing the Zimbra Administration Console as a Delegated Admin

To access the Zimbra Administration Console, connect to port 7071 of your mailserver with a web browser and login with your Zimbra credentials.

E.g: https://mail.example.com:7071

Delegated Admin CAN and CAN’T Table

Here is a quick reference of what a Delegated Admin CAN and CAN’T do through the Zextras Admin module.

CAN

CAN’T

View the account list of any domain for which they are granted Delegate Admin rights

View the account list belonging to any other domain

Edit any user account in any domain for which they are granted Delegate Admin rights

Edit any user account belonging to any other domain

Edit any alias, distribution list or resource in any domain for which they are granted Delegate Admin rights

Edit any alias, distribution list or resource belonging to any other domain

Edit any Global Admin account

Grant Global Admin or Delegated Admin rights to any user

Create an account on a domain for which they are granted Delegated Admin rights

Create an account on any other domain

Select the Class Of Service of an account between those available for that account’s domain

Arbitrarily set the Class of Service of an account between those available on the server

Edit COS settings

Edit Domain Settings that may interfere with the proper functioning of the server

See or edit any server setting

See or edit any global setting

Overview of the Zimbra Administration Console for Delegated Admins

  • Manage:

    • Accounts: Manage the Accounts belonging to any domain for which delegated admin rights have been granted.

    • Aliases: Manage Aliases of accounts belonging to any domain for which delegated admin rights have been granted.

    • Distribution Lists: Manage the Distribution Lists belonging to any domain for which delegated admin rights have been granted.

    • Resources: Manage the Resources belonging to any domain for which delegated admin rights have been granted.

  • Configure: View the configuration of any domain for which delegated admin rights have been granted.

  • Search: Perform advanced Searches.

  • Zextras Suite

    • Zextras Mobile: Manage the synchronization of mobile devices and clients belonging to any domain for which delegated admin rights have been granted.

    • “Zextras Admin: View the list of Delegated Admins belonging to any domain for which delegated admin rights have been granted as well as quota usage informations.

  • Search Bar: Perform quick searches.

  • [username]: Log Out from the Zimbra Administration Console.

Delegated Admin Log Browsing

What is Delegated Admin Log Browsing?

The Zextras Admin allows a Global Admin to easily keep track of all Admins’ activity through a search-based graphical log browser.

The Zextras Admin Log Browser

The Zextras Admin Log Browser can be accessed by clicking Browse Logs in the Zextras Admin tab of the Administration Zimlet. The Filter Log pop-up dialog will open, allowing you to apply some filters to the logs you want to browse.

The available filters are:

  • Basic filters

    • Admin: Filter the logs to only view operations performed by a single Domain Admin.

    • Action: Filter the logs to only view one particular action. See below for the available actions.

  • Advanced filters

    • Client IP: Filters the logs to only show operations performed from a determined IP address.

    • Show Logins: Select this checkbox to also show when the Domain Admins log into the Zimbra Web Client.

    • Outcome: Filters the logs to either show all operations, successful operations or failed operations.

    • Start and End: Limits the logs shown to a specific timespan (default: the current day).

Clicking the Details button will apply the selected filters and show the log browser.

The Action filter

Any operation an Administrator can perform is available in the drop-down menu of the Action filter.

All of these operations are important to keep track of your admin’s actions and to troubleshoot issues.

  • Auth: All ZWC authentications.

  • DelegateAuth: All Delegated Authentications, either through the View Mail button or through the -z option of the zmmailbox command.

  • CreateAccount: All account creations.

  • DeleteAccount: All account deletions.

  • Set Password: All mailbox password changes.

  • RemoveAccountAlias: All alias deletions.

  • DeleteDistributionList: All distribution lists deletions.

Reports and Information

Zextras Admin Monthly Reports

The Zextras Admin module includes a very useful Monthly Reports feature that allows Global Administrators to keep track of both Delegated Admin operations and domain status for a given month.

How does the Monthly Report system work?

On the first day of each month, the Zextras Admin module automatically creates a report based on the data gathered in the Zextras Admin Log.

This monthly report includes:

GLOBAL REPORT

First logged action

Timestamp of the first action performed by an Admin this month

Last logged action

Timestamp of the last action performed by an Admin this month

Last admin login by

Latest administrative login timestamp

Most active admin

Name of the Admin with the highest number of actions logged

Most used address

Most common IP Address for admin logins

Total accounts

Total number of mailboxes

Total created accounts

Number of mailboxes created during the month

Total deleted accounts

Number of mailboxes deleted during the month

Total created domains

Number of domains created during the month

Total created distribution lists

Number of distribution lists created during the month

Total deleted distribution lists

Number of distribution lists deleted during the month

DOMAIN REPORT

Domain

The name of the domain this data refers to

Last admin login

Latest administrative login timestamp

Account/max accounts

Current and maximum number of accounts

Current Domain Size

Sum of the quotas used by all mailboxes in the domain

Maximum Domain Size

Sum of the maximum quota of all mailboxes (excluding Unlimited mailboxes)

Accounts with no quota limit

Number of mailboxes that don’t have a quota limit

Total size of accounts with no quota limit

Sum of the quotas used by all mailboxes with no quota limit

System Resources in the domain

Number of system resource accounts in the domain

Calendar Resources in the domain

Number of calendar resource accounts in the domain

Successful domain actions

Number of successful actions done by admins on this domain

Unsuccessful domain actions

Number of unsuccessful actions done by admins on this domain

ADMIN REPORT

Admin

The name of the admin this data refers to

Successful logins

Number of successful logins into the Admin Console

Unsuccessful logins

Number of unsuccessful logins into the Admin Console

View mails

Number of times this admin used the View Mail feature during the month

Last login

Timestamp of the last login of this admin into the Administration Console

Most used address

The email address most used by this admin to login

Total actions

The number of actions performed by this admin during the month

Accounts created

Number of accounts created by this admin during the month

Accounts deleted

Number of accounts deleted by this admin during the month

How to Access the Monthly Reports

From the Administration Zimlet

To access the Monthly Reports:

  • Log into the Zimbra Administration Console as a Global Admin.

  • On the Zextras Admin tab of the Administration Zimlet, click the Monthly Reports button on the top-right of the page.

  • Select the month you wish to view and click Show Report.

From the CLI

To view the Monthly Reports from the CLI, use the getMonthlyReport command.

zxsuite admin getMonthlyReport [param VALUE[,VALUE]]

Parameter List

NAME

TYPE

EXPECTED VALUES

DEFAULT

month(O)

String

mm/yyyy | previousMonth

previousMonth

local(O)

Boolean

true|false

false

(M) == mandatory parameter, (O) – optional parameter

Usage Example

zxsuite admin getMonthlyReport

Shows the monthly report for the previous month

Usage Example

zxsuite admin getMonthlyReport month 10/2015

Shows the monthly report for the month ‘10/2015’.

Note

This command reads the report files generated by the doMonthlyReport command, which is automatically executed once a month.

If no report exists for the specified month in the current Zextras Admin log path, this command will fail.

Partial Reports

To create a partial report for the current month, use the doMonthlyReport command.

zxsuite admin doMonthlyReport *start* [param VALUE[,VALUE]]

Parameter List

NAME

TYPE

EXPECTED VALUES

DEFAULT

action(M)

String

start

month(O)

String

mm/yyyy | previousMonth

previousMonth

force(O)

Boolean

true|false

false

n otify_admins(O)

Boolean

true|false

false

(M) == mandatory parameter, (O) – optional parameter

Usage Example

zxsuite admin doMonthlyReport

Generates the monthly report for the previous month and saves it in the currentZextras Admin log path

Usage Example

zxsuite admin doMonthlyReport month 05/2021

Generates a PARTIAL monthly report for the current month, without saving it to disk.

Note

This command is automatically executed once a month to generate a file containing the report for the previous month. To overwrite an existing report file, set the ‘force’ parameter to true.

If you just want to display an existing report, use the getMonthlyReport instead.

The Zextras Admin Log Path

The Zextras Admin Module stores all monthly reports, together with the logs used to generate the Monthly reports and to provide information via the Admin Log Browser feature, in a path inside the /opt/zimbra/conf/ folder (default /opt/zimbra/conf/zextras/zxadmin/). This particular default path has been chosen because it is the only directory that CANNOT be deleted during a Zimbra update.

The Zextras Admin Log Path Structure and Contents

The Zextras Admin log path is a flat directory containing the following files:

  • One or more YYYY_MM files containing the logs for the file’s namesake month.

  • Zero or more YYYY_MM.report files containing the monthly report for the file’s namesake month.

  • Zero or more YYYY_MM.X files containing partial logs for the file’s namesake month. These files are created when changing the Zextras Admin Log Path.

Changing the Zextras Admin Log Path

Warning

Carefully read this paragraph before changing the Zextras Admin Log Path. Any error on the procedure will cause a potential log loss that will render the Monthly Report and Show Admin Logs features highly unreliable.

To safely change the Zextras Admin Log Path, follow these steps:

  • Create the folder that will contain the logs:

    • The folder’s ownership must be zimbra:zimbra.

    • The ‘zimbra’ user must have read and write permissions to the folder.

    • The folder must be empty.

  • Log into the Zimbra Administration Console as a Global Admin.

  • Open the Zextras Admin tab in the Administration Zimlet.

  • In the Basic Module Configuration section, click the Change button near the Admin Log Path line.

  • Enter the new path and click Change Path.

  • If no errors are shown, move all the contents of the old log path.

    • It’s perfectly normal to only see .report and .X files in the old log path, as the current log file will be given the .1 extension to mark it as a partial. Any previous .X files will have their extension number increased by 1.

Configuration Reset

What is the Zextras Admin Configuration Reset?

The Zextras Admin Configuration Reset is a free feature of the Zextras Admin module that allows a Global Administrator to completely wipe all delegation rights from the server.

This is not a rollback feature that cleans the Zextras Admin module’s configuration. Resetting the Admin Configuration will affect both Zextras Admin and Zimbra delegation rights.

Warning

Using the Admin Configuration Reset feature will completely wipe all delegation configuration from the server, bringing it back to the state of a fresh installation. Only Admin Delegation settings will be wiped, no other kind of data will be affected.

What does the Admin Configuration Reset clear?

The Admin Configuration Reset clears the following configurations:

  • The isDelegatedAdmin account property for all accounts on the server

  • All Access Control Entries and all Access Control Lists for

    • Users

    • Domains

    • Classes of service

    • Local configuration

    • Server configuration

    • Zimlets

When should I use the Admin Config Reset?

The Admin Config Reset should only be used in the following cases:

  • To completely reset a compromised situation

    • If one or more wrong ACL or ACE settings cause your Zimbra Administration Console to be unstable or not to properly show (e.g. displaying a blank page or missing one or more UI elements), use the Admin Configuration Reset as a final resolution.

  • If you plan to stop using the Zextras Admin module

    • The reset option is available even if no valid Zextras Suite license is active. Remember that this will also wipe any manually set Delegation settings.

How do I use the Admin Configuration Reset?

If you really want to reset the Admin Delegation configuration, simply run this CLI command:

zxsuite core doDeleteAllDelegatedRights

You will be asked to enter a confirmation string to avoid any accidental use of the command.

Zextras Admin CLI

This section contains the index of all zxsuite admin commands. Full reference can be found in the dedicated section ZxAdmin CLI Commands.

doAddDelegationSettings doEditDelegationSettings doExportQuotaHistory doMigrateAdmin doMonthlyReport doRemoveDelegationSettings doRepairAdmin doRestartService doSetZimletRights doShowAdminActivity doStartService doStopAllOperations doStopOperation doStopService getAllOperations getDelegationSettings getDomainSettings getMonthlyReport getProperty getServices monitor resetDomainSettings setDomainSettings setProperty