ZCS Administrator's Guide Network Edition 6.0.8
Table of Contents Previous Next Index


Delegated Administration : Implementing Delegated Administration

Implementing Delegated Administration
The global administrator provisions delegated administrators and delegated administrator groups.
Before you create delegated administrators and grant rights, you define the role and which rights to assign to the targets the administrator will manage. If you do not add the correct rights when you create the delegated administrator, you can edit the account later.
For more efficient management of delegated administrators, create administrator groups and add individual administrator accounts to the group. An administrator group allows you to create role-based access control. Administrators with the same or almost the same responsibilities can be grouped into an admin group.
Note: Accounts that are configured as global administrator accounts cannot be granted ACLs. Global administrator accounts automatically have full rights on ZCS. If an ACL is added to a global administrator account, it is ignored. If a delegated administrator account is changed to a global administrator account, any ACLs associated with the account are ignored.
Delegated administration rights can be set up in one of the following methods:
Create admin accounts. Create an administrator or an administrator group and grant rights to the account using the Administrator Wizard.
Configure grants on existing administrator accounts. Add new rights or modify rights to an existing delegated administrator or administrator group account.
Set ACEs directly on a target. Add, modify and delete rights directly in a target’s Access Control List tab.
Creating Administrator Groups and Administrators
In the administration console Manage Accounts section, you use the Administrator wizard to create new administrator or group administrator accounts, add views and grant rights. On the Accounts toolbar, select Administrator from the New drop-down menu.
The wizard walks you through the following steps.
1.
Admin Groups are distribution lists (DL) that have Admin Group enabled, which flags it as a delegated administrator DL. After the admin group administrator is created and configured with rights and admin views, you add administrator user accounts to the admin group.
Admin Account is a user account that has Administrator enabled on the account.
2.
3.
When you click Next or Finished, the account is provisioned. If you select Next you configure the admin views for the account.
If you selected an Administrator Role for this account and do not want to add other rights or views, click Finish. The account is provisioned and added to the administration group specified in the Administrator Role field.
4.
An admin view represents the items the delegated administrator sees when logged on to the administration console. You select the views from the Directly Assigned Admin views list.
If you had assigned an Administrator Role when you created the account, the Inherited Admin Views column would highlight the views that are inherited from the role you assigned.
5.
Click Next. The Configure the Grants dialog displays a list of all the grants necessary to display all the items you selected in the directly assigned views column. You can click Next to accept these rights and add additional rights, Skip to not configure these rights, or Finish to accept these rights and quit the wizard.
6.
Click Next to accept the rights and add additional rights. Add access rights (ACE) to the account. Select the target type, the target name to administer, and the rights to be granted. You can add multiple rights and they can be either positive or negative.
 
 
 
Configure Grants on Administrator Accounts or Admin Groups
You can manage the rights granted to an administrator or an administrator group through the Configure Grants link on the accounts toolbar. When you click Configure Grant on the Manage Accounts Addresses toolbar, the Content pane shows a list of direct and interited grants. You can grant rights, modify rights or delete rights on existing administrator accounts.
Granting ACLs to a Target
When you want to add a specific grantee or specific rights on a target you can edit the target directly. Each target has an ACL tab which lists the granted ACLs. You can add, edit or delete the target’s grants. The administration account (grantee) is updated to reflect the change.

Delegated Administration : Implementing Delegated Administration

Table of Contents Previous Next Index
ZCS Administrator's Guide Network Edition 6.0.8
Copyright © 2010 Zimbra Inc.