ZCS Administrator's Guide Network Edition 6.0.8
Table of Contents Previous Next Index


Delegated Administration : How Delegated Administration Rights are Granted

How Delegated Administration Rights are Granted
Delegated administration provides a way to define access control limits on targets and grant rights to administrators to perform tasks on the target.
Selecting Target Types
A target is a ZCS object on which rights can be granted. Each target is associated with a target type that identifies the type of access control entries you can grant on the target. When selecting a target type for a target consider:
Selecting a Target
Which specific target are you granting rights? For example, if the target type you select is “domain”, which domain do you mean? You specify a specific domain’s name (Target Name = example.com). ACEs are granted on that target.
Do the Rights Work with the Target Type
Is the right you want to grant applicable to the selected target type? A right can only be applied on the type or types of object that are relevant to the target type.
For example, creating an account can only apply to a domain target type and the setting passwords can only apply to accounts and calendar resources target types. If a right is granted on a target that is not applicable to the target, the grant is ignored.
Scope of Rights Across Selected Target Type
When defining rights, you need to consider the scope of targets in which granted rights are effective. Domain targets can include account, calendar resource, and distribution list rights, as well as specific rights on the domain. For example, the right to set the password is applicable only to accounts and calendar resources, but if this right is included in the domain targets list of rights, it is effective for all accounts or calendar resource in the domain.
 
If the right is applicable to distribution lists, the distribution list and all distribution lists under this distribution list.
If the right is applicable to accounts and calendar resources, all accounts and calendar resources that are direct or indirect members of this distribution list.
Domain entry is only applicable to a specific domain, not to any sub-domains.
When domain is the target, the rights granted can be given for all accounts, calendar resources and distribution lists in the domain.
The global ACL is used to grant administrator rights for all entries in a target type. For example, you could add an ACE to the Global ACL that grants the right to create accounts on domains.
Delegated administrator accounts that are granted this right can create accounts in all domains in the system.
Rights
Rights are the functions that a delegated administrator can or cannot perform on a named target. Right types can be either system-defined rights or attribute rights.
System-defined rights
Four types of system defined rights can be granted: preset, setAttrs, getAttrs, and combo.
Preset rights (preset) are described as:
Having predefined, fixed implication on targets. For example, createAccount creates and account; renameDomain, renames the domain.
Associated with a fixed target type. For example, createAccount is a right only on a domain; renameAccount is a right on an account; see Server is a right on a server
Independent of other rights on the same target. No other rights are required to administer that action on the target.
Possibly requires granting rights on multiple targets in order for the right to be valid. If the right involves accessing multiple targets, the grantee needs to have adequate rights on all pertinent targets. For example, to create an alias for an account, the grantee must have rights to add an alias to an account and to create an alias on a domain.
The set attribute (setAttrs) rights allows the domain administrator to modify and view an attribute value. For example, the modifyAccount right would allow the domain administrator to modify all attributes of the account.
Get attribute rights (getAttrs) lets the domain administrator view an attribute value. For example, the getAccount right would show all the attributes for a user’s account.
Combo right is a right that contains other rights. Combo rights can be assigned to any target type.You can use combo right to grant multiple attribute rights quickly on targets.
System rights are listed and described in the Rights folder in the administration console Overview pane.
You can use the Rights folder to help you define which system-defined rights to grant to delegated administrators. This folder displays the name of the right, the target types associated with that right, the right type and a brief description.
System-Defined Rights List on Administration Console
When you select a right on the page and click on it, another page displays more information
Detailed View of Combo Rights
System-defined rights can be granted as positive or negative rights. This lets you negate some right from a combo right or attributes from the other system-defined rights.
System Defined Rights Lists.
You can use the zmprov CLI to see system defined rights for a specific target.
Account, type as zmprov gar account
Calendar Resources, type as zmprov gar calresource
COS, type as zmprov gar cos
All rights for account and calendar resources can also be granted on distribution list targets. When these rights are granted on a distribution list, the ACEs apply the right to all direct or indirect account or calendar resource members of the distribution list.
Domain, type as zmprov gar domain
All rights for accounts and calendar resources can also be granted on domain targets.
All rights for distribution list can also be granted on domain targets.
When rights are granted on a domain, the ACEs apply the right to all direct or indirect account calendar resource, and members of the distribution list in the domain.
Global Config, type zmprov gar config
Global Grant, type zmprov gar global
All rights for all other targets can also be granted on the global targets. When any rights are granted on a global grant entry, the ACEs apply the right to all entries on the system. For example, if you grant a createAccount (which is a domain right) to AdminA on the global grant entry, AdminA can create accounts in all domains on the system.
Server, type zmprov gar server
Zimlets, type, zmprov gar zimlet
Attribute Right
An attribute right is specific to a defined attribute. Granting rights at the attribute level allow a delegated administrator/administrator group to modify or view (or not modify or view) a specific attribute on a target.
The specific attribute being granted is configured on the target and the type of permission, read (get) or write (set), is specified. To create an ACE based on an attribute right:
Note: If you want to see a list of all the attributes, use the zmprov desc CLI. Note that this list also contains attributes that cannot be granted as rights.
The example below is adding the right to view the status of accounts on a domain.
Attribute rights can be granted in any combination of attributes to grant positive or negative rights. This lets you negate some attributes from a grant.
Positive or Negative Rights
Rights can be either positive or negative. Negative rights are rights specifically denied to a grantee. Negative rights can be granted to administrator groups and individual administrators. The purpose of having negative rights is to be able to revoke a right granted to a wider scope of grantees or granted on a wider scope of targets.
When a negative right is granted to an admin group, all administrators in the group are denied that right for the target and sub-targets on which the right is granted.
When a negative right is granted to an administrator who may or may not be in an admin group, the specific administrator is denied that right for the target and sub-targets on which the right is granted.
Example of applying a negative right to remove certain rights to specific administrators in an admin group
An admin group is granted domain administrator rights, including the right to create accounts on Domain1. AdminA is in this admin group, but you want AdminA to have all domain administrator rights, except the right to create accounts. You would grant a negative createAccount right to AdminA on the target Domain1.
Example of applying a negative right to remove a right on certain sub-targets
If an admin group is granted the right to view accounts in a domain from the administration console but you did not want the admins in this group to view specific executive accounts, such as the CEO and CFO accounts, you would grant a negative adminLoginAs right to this admin group directly on each target account. In this case, to the CEO and CFO’s accounts. No one in this admin group can log in as an admin to these two accounts.
For grants on the same level, negative rights always take precedence. For example, AdminGroup1 is granted a positive right to view accounts in a domain; AdminGroup2 is granted a negative right to view accounts in the same domain. AdminA is a member in both admin groups. AdminA cannot view any account in this domain because the negative right takes precedence.
For grants on different levels, the most specific grant takes precedence. For example, AdminA is granted the negative right to view accounts in GroupDistributionList1 which User1 is a member. AdminA is also granted the positive right to view account directly on User1’s account. In this case, AdminA can view User1’s account as the grant on the account target is more specific than the grant on the distribution list.

Delegated Administration : How Delegated Administration Rights are Granted

Table of Contents Previous Next Index
ZCS Administrator's Guide Network Edition 6.0.8
Copyright © 2010 Zimbra Inc.