Zextras Admin
Delegated Admin Provisioning
What is Delegated Admin Provisioning?
Delegated Admin Provisioning is the set of operations that allow you to grant, edit and revoke Domain Admin rights to a user.
All Delegated Admin Provisioning operations can be performed:
From the Zextras Admin tab of the Administration Zimlet
From the CLI, running the appropriate zxsuite command as the zimbra user
Granting Delegated Admin Rights to a User
From the Administration Zimlet
In the Delegated Admins
section of the Zextras Admin tab in the
Administration Zimlet, click the Add
button.
You will be be prompted for the following information:
Account: The email address to which you want to grant Delegated Admin rights.
Domain: The domain on which the Delegated Admin will have control.
Delegated Auth: Check this box to allow the Delegated Admin to use the
View Mail
features on any mailbox in the selected domain.Grant Limit: The maximum mailbox quota this Delegated Admin can assign to a user.
Edit Features: Defines whether the Delegated Admin is able to edit the contents of the
Features
tab for its assigned users.
Warning
If the Domain Quota
is lower than the Grant
Limit
, the Grant Limit
value will be ignored. Disk space and
Quota limits can be entered in Gigabytes (gb), Megabytes (mb) or
Kilobytes (kb).
From the CLI
To grant Delegated Admin rights to a user, use the
doAddDelegationSettings
command.
zxsuite admin doAddDelegationSettings *account* *domain* [param
VALUE[,VALUE]]
Parameter List
NAME |
TYPE |
EXPECTED VALUES |
DEFAULT |
account(M) |
String |
||
domain(M) |
String |
||
viewMail(O) |
Boolean |
true|false |
false |
editFeatures(O) |
Boolean |
true|false |
false |
adminQuota(O) |
String |
-1 |
(M) == mandatory parameter, (O) – optional parameter
Usage Example
zxsuite admin doAddDelegationSettings john@example.com example.com viewMail true adminQuota -1
Adds John as delegated administrator of domain example.com, with the right to view user mail on such domain and no right to grand quotas to users.
Usage Example
zxsuite admin doAddDelegationSettings john@example.com example.com adminQuota 0
Adds John as delegated administrator of domain example.com, with the right to assign unlimited quotas to users.
Usage Example
zxsuite admin doAddDelegationSettings john@example.com example.com adminQuota 10gb
Adds John as delegated administrator of domain example.com, with the right to assign quotas up to 10gb to each user.
Editing the Rights of an Existing Delegated Admin
From the Administration Zimlet
In the Delegated Admins
section of the Zextras Admin tab in the
Administration Zimlet, select an entry in the list and click the
Edit
button.
You can also double click an entry on the list to edit it.
From the CLI
To edit the rights of an existing Delegated Admin, use the
doEditDelegationSettings
command.
zxsuite admin doEditDelegationSettings *account* *domain* [param
VALUE[,VALUE]]
Parameter List
NAME |
TYPE |
EXPECTED VALUES |
DEFAULT |
account(M) |
String |
||
domain(M) |
String |
||
viewMail(O) |
Boolean |
true|false |
|
editFeatures(O) |
Boolean |
true|false |
|
adminQuota(O) |
String |
(M) == mandatory parameter, (O) – optional parameter
Usage Example
zxsuite admin doEditDelegationSettings john@example.com example.com viewMail true adminQuota -1
Edits John’s delegation rights for domain example.com, with the right to view user mail on such domain and
no right to grand quotas to users.
Usage Example
zxsuite admin doEditDelegationSettings john@example.com example.com adminQuota 0
Edits John’s delegation rights for domain example.com, with the right to assign unlimited quotas to users.
Usage Example
zxsuite admin doEditDelegationSettings john@example.com example.com adminQuota 10gb
Edits John’s delegation rights for domain example.com, with the right to assign quotas up to 10gb to each user.
Revoke Delegated Admin Rights from a User
From the Administration Zimlet
In the Delegated Admins
section of the Zextras Admin Tab in the
Administration Zimlet, select an entry in the list and click the
Delete
button.
From the CLI
To revoke Delegated Admin rights from a user, use the
doRemoveDelegationSettings
command:
zxsuite admin doRemoveDelegationSettings *account* *domain*
Parameter List
NAME |
TYPE |
EXPECTED VALUES |
DEFAULT |
account(M) |
String |
||
domain(M) |
String |
(M) == mandatory parameter, (O) – optional parameter
Usage Example
zxsuite admin doRemoveDelegationSettings john@example.com example.com
John no longer administers domain example.com
Quota Management
What is Quota Management?
Zextras Admin allows the Global Administrator to set two different types
of quota limits: the Grant Limit
and the Domain Quota
.
Neither the Domain Quota
nor the Grant Limit
are mandatory,
meaning that a Delegated Admin can be allowed to grant any quota to a
user and that a domain can lack a maximum quota limit.
The Grant Limit
The Grant Limit
is one of the properties of a Delegated Admin.
It specifies the maximum mailbox quota that the Delegated Admin can grant to a mailbox and can be set and changed in the Delegated Admin’s settings.
Three options are available:
None: The Delegated Admin cannot edit the Quota attribute of a mailbox.
Custom: The Delegated Admin can grant up to the specified value. This overrides any domain/COS quota setting.
Unlimited: The Delegated Admin can grant any quota to the mailbox. This overrides any domain/COS quota setting.
The Domain Quota
The Domain Quota
is a property that specifies the maximum mailbox
quota that any Administrator can grant to a mailbox in the domain.
Warning
Assigning an unlimited quota to a mailbox will override the Domain Quota setting.
Grant Limit
vs Domain Quota
The Grant Limit
and Domain Quota
properties are mutually
exclusive on a restrictive basis.
This means that the following scenarios may occur:
A Global Admin grants a user a higher quota than the allowed Domain Quota.
Since the Domain Quota applies to a given domain, not to a given Admin, the effective quota for the user will be the maximum quota allowed by the
Domain Quota
setting.A Delegated Admin grants a user a higher quota than the allowed Domain Quota
In this case, the effective quota for the user will be the maximum quota allowed by the
Domain Quota
setting, even if the Delegated Admin’s Grant Limit is higher than the Domain Quota.A Delegated Admin’s Grant Limit is lower than the Domain Quota
In this case, the maximum quota that the Delegated Admin can grant to a user will be the one defined by the Grant Limit, even if the Domain Quota is higher. A Global Admin, which is not bound to any Grant Limit restriction, will be allowed to assign any mailbox quota to the user up to the limit allowed by the Domain Quota.
Domain Limits
What is Domain Limit Management (a.k.a. Domain Settings
)?
Domain Limit Management is a feature of the Zextras Admin module. It allows a Global Administrator to set domain level limits that cannot be exceeded by any Administrator.
The only way to exceed a Domain Limit is to change the Domain Limit itself.
Domain Limits
Global Account Limit: The maximum number of accounts that can be created on this domain.
Domain Quota: The maximum mailbox quota that any Administrator can grant to a mailbox in the domain.
COS Limits: Define which Classes of Service can be used for users in the domain and the maximum number of users per Class of Service.
Edit the Limits of a Domain
From the Administration Zimlet
All the domains in the Zimbra infrastructure are listed in the Domain
Settings
list in the Zextras Admin tab of the Administration Zimlet.
To edit the limits of a domain, select the domain from the Domain
Settings
list and press the Edit
button.
From the CLI
To edit the limits of a domain through the CLI, use the
setDomainSettings
command.
zxsuite admin setDomainSettings *domain* [param VALUE[,VALUE]]
Parameter List
NAME |
TYPE |
EXPECTED VALUES |
DEFAULT |
domain(M) |
String |
||
a ccount_limit(O) |
Integer |
no action |
|
domain_a ccount_quota(O) |
String |
no action |
|
rese t_cos_limits(O) |
String |
c osname1:limit1, cosname2:limit2 |
no action |
ad d_cos_limits(O) |
String |
c osname1:limit1, cosname2:limit2 |
no action |
(M) == mandatory parameter, (O) – optional parameter
Usage Example
zxsuite admin setDomainSettings example.com account_limit 100 domain_account_quota 100mb reset_cos_limits cos1:30,cos2:80
Sets a global account limit on the domain example.com of 100 accounts, with a domain account quota of 100 megabytes,
and with cos account limits of 30 for cos1 and 80 for cos2 (removing other cos settings).
Usage Example
zxsuite admin setDomainSettings example.com add_cos_limits cos1:30
Sets cos account limits of 30 for cos1 (leaving other cos settings unchanged).
Reset the Limits of a Domain
From the Administration Zimlet
All the domains in the Zimbra infrastructure are listed in the Domain
Settings
list in the Zextras Admin tab of the Administration Zimlet.
To reset the limits of a domain, select the domain from the Domain
Settings
list and press the Reset
button, then click Ok
in the
confirmation pop-up.
From the CLI
To reset the limits of a Domain through the CLI, use the
resetDomainSettings
command:
zxsuite admin resetDomainSettings *domain*
Parameter List
NAME |
TYPE |
EXPECTED VALUES |
DEFAULT |
domain(M) |
String |
(M) == mandatory parameter, (O) – optional parameter
Usage Example
zxsuite admin resetDomainSettings
Zimbra Administration as a Delegated Admin
Accessing the Zimbra Administration Console as a Delegated Admin
To access the Zimbra Administration Console, connect to port 7071 of your mailserver with a web browser and login with your Zimbra credentials.
Delegated Admin CAN and CAN’T Table
Here is a quick reference of what a Delegated Admin CAN and CAN’T do through the Zextras Admin module.
CAN |
CAN’T |
---|---|
View the account list of any domain for which they are granted Delegate Admin rights |
View the account list belonging to any other domain |
Edit any user account in any domain for which they are granted Delegate Admin rights |
Edit any user account belonging to any other domain |
Edit any alias, distribution list or resource in any domain for which they are granted Delegate Admin rights |
Edit any alias, distribution list or resource belonging to any other domain |
Edit any Global Admin account |
|
Grant Global Admin or Delegated Admin rights to any user |
|
Create an account on a domain for which they are granted Delegated Admin rights |
Create an account on any other domain |
Select the Class Of Service of an account between those available for that account’s domain |
Arbitrarily set the Class of Service of an account between those available on the server |
Edit COS settings |
|
Edit Domain Settings that may interfere with the proper functioning of the server |
|
See or edit any server setting |
|
See or edit any global setting |
Overview of the Zimbra Administration Console for Delegated Admins
Manage
:Accounts
: Manage the Accounts belonging to any domain for which delegated admin rights have been granted.Aliases
: Manage Aliases of accounts belonging to any domain for which delegated admin rights have been granted.Distribution Lists
: Manage the Distribution Lists belonging to any domain for which delegated admin rights have been granted.Resources
: Manage the Resources belonging to any domain for which delegated admin rights have been granted.
Configure
: View the configuration of any domain for which delegated admin rights have been granted.Search
: Perform advanced Searches.Zextras Suite
Zextras Mobile
: Manage the synchronization of mobile devices and clients belonging to any domain for which delegated admin rights have been granted.“Zextras Admin: View the list of Delegated Admins belonging to any domain for which delegated admin rights have been granted as well as quota usage informations.
Search Bar
: Perform quick searches.[username]
: Log Out from the Zimbra Administration Console.
Delegated Admin Log Browsing
What is Delegated Admin Log Browsing?
The Zextras Admin allows a Global Admin to easily keep track of all Admins’ activity through a search-based graphical log browser.
The Zextras Admin Log Browser
The Zextras Admin Log Browser can be accessed by clicking
Browse Logs
in the Zextras Admin tab of the Administration Zimlet.
The Filter Log
pop-up dialog will open, allowing you to apply some
filters to the logs you want to browse.
The available filters are:
Basic
filtersAdmin
: Filter the logs to only view operations performed by a single Domain Admin.Action
: Filter the logs to only view one particular action. See below for the available actions.
Advanced
filtersClient IP
: Filters the logs to only show operations performed from a determined IP address.Show Logins
: Select this checkbox to also show when the Domain Admins log into the Zimbra Web Client.Outcome
: Filters the logs to either show all operations, successful operations or failed operations.Start
andEnd
: Limits the logs shown to a specific timespan (default: the current day).
Clicking the Details
button will apply the selected filters and show
the log browser.
The Action
filter
Any operation an Administrator can perform is available in the drop-down
menu of the Action
filter.
All of these operations are important to keep track of your admin’s actions and to troubleshoot issues.
Auth
: All ZWC authentications.DelegateAuth
: All Delegated Authentications, either through theView Mail
button or through the-z
option of the zmmailbox command.CreateAccount
: All account creations.DeleteAccount
: All account deletions.Set Password
: All mailbox password changes.RemoveAccountAlias
: All alias deletions.DeleteDistributionList
: All distribution lists deletions.
Reports and Information
Zextras Admin Monthly Reports
The Zextras Admin module includes a very useful Monthly Reports
feature that allows Global Administrators to keep track of both
Delegated Admin operations and domain status for a given month.
How does the Monthly Report system work?
On the first day of each month, the Zextras Admin module automatically creates a report based on the data gathered in the Zextras Admin Log.
This monthly report includes:
GLOBAL REPORT |
|
---|---|
First logged action |
Timestamp of the first action performed by an Admin this month |
Last logged action |
Timestamp of the last action performed by an Admin this month |
Last admin login by |
Latest administrative login timestamp |
Most active admin |
Name of the Admin with the highest number of actions logged |
Most used address |
Most common IP Address for admin logins |
Total accounts |
Total number of mailboxes |
Total created accounts |
Number of mailboxes created during the month |
Total deleted accounts |
Number of mailboxes deleted during the month |
Total created domains |
Number of domains created during the month |
Total created distribution lists |
Number of distribution lists created during the month |
Total deleted distribution lists |
Number of distribution lists deleted during the month |
DOMAIN REPORT |
|
---|---|
Domain |
The name of the domain this data refers to |
Last admin login |
Latest administrative login timestamp |
Account/max accounts |
Current and maximum number of accounts |
Current Domain Size |
Sum of the quotas used by all mailboxes in the domain |
Maximum Domain Size |
Sum of the maximum quota of all
mailboxes (excluding
|
Accounts with no quota limit |
Number of mailboxes that don’t have a quota limit |
Total size of accounts with no quota limit |
Sum of the quotas used by all mailboxes with no quota limit |
System Resources in the domain |
Number of system resource accounts in the domain |
Calendar Resources in the domain |
Number of calendar resource accounts in the domain |
Successful domain actions |
Number of successful actions done by admins on this domain |
Unsuccessful domain actions |
Number of unsuccessful actions done by admins on this domain |
ADMIN REPORT |
|
---|---|
Admin |
The name of the admin this data refers to |
Successful logins |
Number of successful logins into the Admin Console |
Unsuccessful logins |
Number of unsuccessful logins into the Admin Console |
View mails |
Number of times this admin used
the |
Last login |
Timestamp of the last login of this admin into the Administration Console |
Most used address |
The email address most used by this admin to login |
Total actions |
The number of actions performed by this admin during the month |
Accounts created |
Number of accounts created by this admin during the month |
Accounts deleted |
Number of accounts deleted by this admin during the month |
How to Access the Monthly Reports
From the Administration Zimlet
To access the Monthly Reports
:
Log into the Zimbra Administration Console as a Global Admin.
On the Zextras Admin tab of the Administration Zimlet, click the
Monthly Reports
button on the top-right of the page.Select the month you wish to view and click
Show Report
.
From the CLI
To view the Monthly Reports from the CLI, use the getMonthlyReport
command.
zxsuite admin getMonthlyReport [param VALUE[,VALUE]]
Parameter List
NAME |
TYPE |
EXPECTED VALUES |
DEFAULT |
month(O) |
String |
mm/yyyy | previousMonth |
previousMonth |
local(O) |
Boolean |
true|false |
false |
(M) == mandatory parameter, (O) – optional parameter
Usage Example
zxsuite admin getMonthlyReport
Shows the monthly report for the previous month
Usage Example
zxsuite admin getMonthlyReport month 10/2015
Shows the monthly report for the month ‘10/2015’.
Note
This command reads the report files generated by the doMonthlyReport command, which is automatically executed once a month.
If no report exists for the specified month in the current Zextras Admin log path, this command will fail.
Partial Reports
To create a partial report for the current month, use the
doMonthlyReport
command.
zxsuite admin doMonthlyReport *start* [param VALUE[,VALUE]]
Parameter List
NAME |
TYPE |
EXPECTED VALUES |
DEFAULT |
action(M) |
String |
start |
|
month(O) |
String |
mm/yyyy | previousMonth |
previousMonth |
force(O) |
Boolean |
true|false |
false |
n otify_admins(O) |
Boolean |
true|false |
false |
(M) == mandatory parameter, (O) – optional parameter
Usage Example
zxsuite admin doMonthlyReport
Generates the monthly report for the previous month and saves it in the currentZextras Admin log path
Usage Example
zxsuite admin doMonthlyReport month 05/2021
Generates a PARTIAL monthly report for the current month, without saving it to disk.
Note
This command is automatically executed once a month to generate a file containing the report for the previous month. To overwrite an existing report file, set the ‘force’ parameter to true.
If you just want to display an existing report, use the getMonthlyReport instead.
The Zextras Admin Log Path
The Zextras Admin Module stores all monthly reports, together with the
logs used to generate the Monthly reports and to provide information via
the Admin Log Browser
feature, in a path inside the
/opt/zimbra/conf/
folder (default
/opt/zimbra/conf/zextras/zxadmin/
). This particular default path has
been chosen because it is the only directory that CANNOT be deleted
during a Zimbra update.
The Zextras Admin Log Path Structure and Contents
The Zextras Admin log path is a flat directory containing the following files:
One or more
YYYY_MM
files containing the logs for the file’s namesake month.Zero or more
YYYY_MM.report
files containing the monthly report for the file’s namesake month.Zero or more
YYYY_MM.X
files containing partial logs for the file’s namesake month. These files are created when changing the Zextras Admin Log Path.
Changing the Zextras Admin Log Path
Warning
Carefully read this paragraph before changing the Zextras
Admin Log Path. Any error on the procedure will cause a potential
log loss that will render the Monthly Report
and Show Admin
Logs
features highly unreliable.
To safely change the Zextras Admin Log Path, follow these steps:
Create the folder that will contain the logs:
The folder’s ownership must be
zimbra:zimbra
.The ‘zimbra’ user must have read and write permissions to the folder.
The folder must be empty.
Log into the Zimbra Administration Console as a Global Admin.
Open the Zextras Admin tab in the Administration Zimlet.
In the
Basic Module Configuration
section, click theChange
button near the Admin Log Path line.Enter the new path and click
Change Path
.If no errors are shown, move all the contents of the old log path.
It’s perfectly normal to only see
.report
and.X
files in the old log path, as the current log file will be given the.1
extension to mark it as a partial. Any previous.X
files will have their extension number increased by 1.
Configuration Reset
What is the Zextras Admin Configuration Reset?
The Zextras Admin Configuration Reset is a free feature of the Zextras Admin module that allows a Global Administrator to completely wipe all delegation rights from the server.
This is not a rollback
feature that cleans the Zextras Admin
module’s configuration. Resetting the Admin Configuration will affect
both Zextras Admin and Zimbra delegation rights.
Warning
Using the Admin Configuration Reset feature will completely wipe all delegation configuration from the server, bringing it back to the state of a fresh installation. Only Admin Delegation settings will be wiped, no other kind of data will be affected.
What does the Admin Configuration Reset clear?
The Admin Configuration Reset clears the following configurations:
The
isDelegatedAdmin
account property for all accounts on the serverAll Access Control Entries and all Access Control Lists for
Users
Domains
Classes of service
Local configuration
Server configuration
Zimlets
When should I use the Admin Config Reset?
The Admin Config Reset should only be used in the following cases:
To completely reset a compromised situation
If one or more wrong ACL or ACE settings cause your Zimbra Administration Console to be unstable or not to properly show (e.g. displaying a blank page or missing one or more UI elements), use the Admin Configuration Reset as a final resolution.
If you plan to stop using the Zextras Admin module
The reset option is available even if no valid Zextras Suite license is active. Remember that this will also wipe any manually set Delegation settings.
How do I use the Admin Configuration Reset?
If you really want to reset the Admin Delegation configuration, simply run this CLI command:
zxsuite core doDeleteAllDelegatedRights
You will be asked to enter a confirmation string to avoid any accidental use of the command.
Zextras Admin CLI
This section contains the index of all zxsuite admin
commands. Full
reference can be found in the dedicated
section ZxAdmin CLI Commands.
doAddDelegationSettings doEditDelegationSettings doExportQuotaHistory doMigrateAdmin doMonthlyReport doRemoveDelegationSettings doRepairAdmin doRestartService doSetZimletRights doShowAdminActivity doStartService doStopAllOperations doStopOperation doStopService getAllOperations getDelegationSettings getDomainSettings getMonthlyReport getProperty getServices monitor resetDomainSettings setDomainSettings setProperty