ZCS Administrator Guide 8.0
ZCS Administrator Guide 8.0
Network Edition


Delegated Administration > Creating Delegated Administrator Roles

Creating Delegated Administrator Roles
Manage multiple domains
To have one domain administrator manage more than one domain, you assign the rights to manage individual domains to the administrator account or administrator group.
For example, to set up domanadministrator1@example.com to manage domainexample1 and domainexample2.com. Create a new administrator account on one of the domains to be managed.
1.
2.
Select the views that domain administrators need to manage a domain. When the views are selected, the rights associated with these views automatically display on the Configure the Grants dialog.
3.
4.
For Right Name type, adminConsoleAccountRights. Is Positive Right should be selected.
Click Add and More
The Add ACE page displays again and the Right Name field is empty. Type, adminConsoleDLRights and click Add and More.
After the last right, click Add and Finish. The Configure the Grants dialog displays these rights associated with the target domain. If you are adding another domain to manage, click Add and More. Repeat Step 4. If not, click Finish.
Manage Distribution Lists
To assign a user to manage a distribution list, you create a distribution list and enable Admin Group, select the view, grant the distribution list rights, add the user to the list and make that user an administrator.
1.
Go to the Admin Views page and check Distribution List View so the admin can view the distribution list.
Click Save.
2.
In the Configure Grants page, add the following rights.
Change Passwords
To create delegated administrators who only change passwords, you create the admin or admin group, select the views and grant the taskSetPassword combo right.
1.
Account List view to be able to select accounts to change passwords
Alias List view to be able to find users who use an alias instead of account name.
2.
The Configure the Grants page displays recommended grants for the views you have chosen. For Change Password rights, do not configure these grants. Select Skip. Click Add to add the following right:
 
View Mail Access Right
View Mail access right can be granted on accounts, domains, and distribution lists.
account, domain, or distribution list address
*To deny the View Mail right on the target, check the box for Is Negative Right (Deny)
To prevent administrators from viewing an account with a domain or distribution list, assign the Is Negative Right to the account.
Manage Class of Service Assigned to Users
You can expand the domain administrator role to be able to view and change the class of service (COS) assigned to a user. To add the rights to manage the COS for a domain, add the following rights to the domain administrator account or domain administrator admin group.
Add the System Defined Rights to each COS in the domain.
 
Verb: Write
Manage Cross Mailbox Search
This role creates a delegated administrator role that can run the Search Mail tool to search mail archives or live mail for accounts. This also allows the administrator to create, abort, delete, purge or get status of a cross mailbox search request.
Note:
 
adminConsoleCrossMailboxSearchRights
server name where cross mailbox searches can be run
For full functionality, this role includes the ability to create new accounts so that the admin can create the target mailbox to receive the search results. If you do not want this role to have the ability to create accounts, grant the following negative right as well.
 
*To deny the Create Account right on the target, check the box for Is Negative Right (Deny)
If you want this admin to also view the target mailbox with the results of the cross mailbox search, grant the right to view that mailbox only.
 
cross mailbox search target account name
Manage Zimlets
This role creates a delegated administrator role that can create, deploy and view Zimlets.
 
server name or domain address
server name or domain address
Manage Resources
This role creates a delegated administrator that can create and manage resources.
 
server name or domain address
Access to the Saved Searches
This role creates a delegated administrator that can access all the searches saved in the administration console Navigation pane, Search section.
server name or domain address
 
Access to the Server Status Pages
This role creates a delegated administrator that can access the Server Status page. In addition to granting this right, you must also select the Admin View, Global Server Status View.
 
 
 
 
 
 
Note:
Accounts that are configured as global administrator accounts cannot be granted ACLs. Global administrator accounts automatically have full rights on ZCS. If an ACL is added to a global administrator account, it is ignored. If a delegated administrator account is changed to a global administrator account, any ACLs associated with the account are ignored.
 
Copyright © 2012 VMware Inc.