ZCS Administrator Guide 8.0
ZCS Administrator Guide 8.0
Network Edition


Delegated Administration > Attribute Right

Attribute Right
Granting rights at the attribute level allow a delegated administrator/administrator group to modify or view (or not modify or view) a specific attribute on a target.
Types of attributes rights include:
*
Attribute (setAttrs) rights allow the domain administrator to modify and view an attribute value. For example, the modifyAccount right allows the domain administrator to modify all attributes of the account.
*
Get attribute rights (getAttrs) let the domain administrator view an attribute value. For example, the getAccount right shows all the attributes for a user’s account.
The specific attribute being granted is configured on the target and the type of permission, read (get) or write (set), is specified.
Attribute rights can be granted in any combination of attributes to grant positive or negative rights. This lets you negate some attributes from a grant.
Combo Rights
Combo rights can be assigned to any target type and can include preset rights and attribute rights.You can use combo right to grant multiple attribute rights quickly on targets.
Negative Rights
Rights can be either positive or negative. Negative rights are rights specifically denied to a grantee.
*
When a negative right is granted to an admin group, all administrators in the group are denied that right for the target and sub-targets on which the right is granted.
*
When a negative right is granted to an administrator who may or may not be in an admin group, the specific administrator is denied that right for the target and sub-targets on which the right is granted.
An admin group is granted domain administrator rights, including the right to create accounts on Domain1. AdminA is in this admin group, but you want AdminA to have all domain administrator rights, except the right to create accounts. You would grant a negative createAccount right to AdminA on the target Domain1.
For grants on the same level, negative rights always take precedence. For example, AdminGroup1 is granted a positive right to view accounts in a domain; AdminGroup2 is granted a negative right to view accounts in the same domain. AdminA is a member in both admin groups. AdminA cannot view any account in this domain because the negative right takes precedence.
For grants on different levels, the most specific grant takes precedence. For example, AdminA is granted the negative right to view accounts in GroupDistributionList1, which User1 is a member. AdminA is also granted the positive right to view account directly on User1’s account. In this case, AdminA can view User1’s account as the grant on the account target is more specific than the grant on the distribution list.
Using the Rights List
System rights are listed and described in the Rights folder in the administration console Overview pane. You can use the Rights folder to help you define which system-defined rights to grant to delegated administrators. This folder displays the name of the right, the target types associated with that right, the right type and a brief description.
When you select a right on the page and click on it, another page displays more information
*
*
You can use the zmprov CLI to see combo rights.
*
Direct sub rights of a combo right, type as zmprov gr adminConsoleDLRights
*
Second level sub-rights of the combo, type as zmprov gr adminConsoleDLRights -e
System Defined Rights Lists.
You can use the zmprov CLI to see system defined rights for a specific target.
*
Account, type as zmprov gar account
*
Calendar Resources, type as zmprov gar calresource
*
COS, type as zmprov gar cos
*
All rights for account and calendar resources can also be granted on distribution list targets. When these rights are granted on a distribution list, the ACEs apply the right to all direct or indirect account or calendar resource members of the distribution list.
*
Domain, type as zmprov gar domain
All rights for accounts and calendar resources can also be granted on domain targets.
All rights for distribution list can also be granted on domain targets.
When rights are granted on a domain, the ACEs apply the right to all direct or indirect account calendar resource, and members of the distribution list in the domain.
*
Global Config, type zmprov gar config
*
Global Grant, type zmprov gar global
All rights for all other targets can also be granted on the global targets. When any rights are granted on a global grant entry, the ACEs apply the right to all entries on the system. For example, if you grant a createAccount (which is a domain right) to AdminA on the global grant entry, AdminA can create accounts in all domains on the system.
*
Server, type zmprov gar server
*
Zimlets, type, zmprov gar zimlet
Copyright © 2012 VMware Inc.