ZCS Administrator Guide 8.0
ZCS Administrator Guide 8.0
Network Edition


Delegated Administration > Rights

Rights
Rights are the functions that a delegated administrator can or cannot perform on a named target. Right can be either system-defined or attribute.
System-defined rights
Types of system defined rights include:
*
Preset rights (preset). For example, createAccount creates an account; renameDomain, renames the domain.
Preset rights are associated with a fixed target type. For example, createAccount is a right only on a domain; renameAccount is a right on an account; see Server is a right on a server
No other rights are required to administer that action on the target.
Preset rights could involve accessing multiple targets. The grantee needs to have adequate rights on all pertinent targets. For example, to create an alias for an account, the grantee must have rights to add an alias to an account and to create an alias on a domain.
Attribute Right
Granting rights at the attribute level allow a delegated administrator/administrator group to modify or view (or not modify or view) a specific attribute on a target.
Types of attributes rights include:
*
Attribute (setAttrs) rights allow the domain administrator to modify and view an attribute value. For example, the modifyAccount right allows the domain administrator to modify all attributes of the account.
*
Get attribute rights (getAttrs) let the domain administrator view an attribute value. For example, the getAccount right shows all the attributes for a user’s account.
The specific attribute being granted is configured on the target and the type of permission, read (get) or write (set), is specified.
Attribute rights can be granted in any combination of attributes to grant positive or negative rights. This lets you negate some attributes from a grant.
Combo Rights
Combo rights can be assigned to any target type and can include preset rights and attribute rights.You can use combo right to grant multiple attribute rights quickly on targets.
Negative Rights
Rights can be either positive or negative. Negative rights are rights specifically denied to a grantee.
*
*
An admin group is granted domain administrator rights, including the right to create accounts on Domain1. AdminA is in this admin group, but you want AdminA to have all domain administrator rights, except the right to create accounts. You would grant a negative createAccount right to AdminA on the target Domain1.
For grants on the same level, negative rights always take precedence. For example, AdminGroup1 is granted a positive right to view accounts in a domain; AdminGroup2 is granted a negative right to view accounts in the same domain. AdminA is a member in both admin groups. AdminA cannot view any account in this domain because the negative right takes precedence.
For grants on different levels, the most specific grant takes precedence. For example, AdminA is granted the negative right to view accounts in GroupDistributionList1, which User1 is a member. AdminA is also granted the positive right to view account directly on User1’s account. In this case, AdminA can view User1’s account as the grant on the account target is more specific than the grant on the distribution list.
Using the Rights List
System rights are listed and described in the Rights folder in the administration console Overview pane. You can use the Rights folder to help you define which system-defined rights to grant to delegated administrators. This folder displays the name of the right, the target types associated with that right, the right type and a brief description.
When you select a right on the page and click on it, another page displays more information
*
*
You can use the zmprov CLI to see combo rights.
*
Direct sub rights of a combo right, type as zmprov gr adminConsoleDLRights
*
Second level sub-rights of the combo, type as zmprov gr adminConsoleDLRights -e
System Defined Rights Lists.
You can use the zmprov CLI to see system defined rights for a specific target.
*
Account, type as zmprov gar account
*
Calendar Resources, type as zmprov gar calresource
*
COS, type as zmprov gar cos
*
All rights for account and calendar resources can also be granted on distribution list targets. When these rights are granted on a distribution list, the ACEs apply the right to all direct or indirect account or calendar resource members of the distribution list.
*
Domain, type as zmprov gar domain
All rights for accounts and calendar resources can also be granted on domain targets.
All rights for distribution list can also be granted on domain targets.
When rights are granted on a domain, the ACEs apply the right to all direct or indirect account calendar resource, and members of the distribution list in the domain.
*
Global Config, type zmprov gar config
*
Global Grant, type zmprov gar global
All rights for all other targets can also be granted on the global targets. When any rights are granted on a global grant entry, the ACEs apply the right to all entries on the system. For example, if you grant a createAccount (which is a domain right) to AdminA on the global grant entry, AdminA can create accounts in all domains on the system.
*
Server, type zmprov gar server
*
Zimlets, type, zmprov gar zimlet
Copyright © 2012 VMware Inc.