Target Types for Granting Administrative Rights

ZCS Administrator Guide 8.0

Network Edition

Delegated Administration > Target Types for Granting Administrative Rights

Target Types for Granting Administrative Rights

Delegated administration provides a way to define access control limits on targets and grant rights to administrators to perform tasks on the target.

A target is a ZCS object on which rights can be granted. Each target is associated with a target type that identifies the type of access control entries you can grant on the target.

When selecting a target type for a target consider the following:

Target. Which specific target are you granting rights? For example, if the target type you select is “domain”, which domain do you mean? You specify a specific domain’s name (Target Name = example.com). Access Control
Entries (ACE) are granted on that target. An ACE is stored in an LDAP attribute on the target entry.

Is the right you want to grant applicable to the selected target type? A right can only be applied on the relevant target type. For example, creating an account can only apply to a domain target type, and the setting passwords can only apply to accounts and calendar resources target types. If a right is granted on a target that is not applicable to the target, the grant is ignored.

When defining rights, you need to consider the scope of targets in which granted rights are effective. For example, the right to set the password is applicable only to accounts and calendar resources, but if this right is included in the domain targets list of rights, it is effective for all accounts or calendar resource in the domain.

Target Type

Description of Target Scope

Account

An account entry (a specific user)

Calendar Resource

A calendar resource entry

COS

COS entry

Distribution List

Includes the distribution list and all distribution lists under this distribution list.

If the right is applicable to accounts and calendar resources, all accounts and calendar resources that are direct or indirect members of this distribution list.

Domain

Applicable to a specific domain, not to any sub-domains.

Sub-domains must be explicitly marked as targets.

When domain is the target, the rights are granted for all accounts, calendar resources and distribution lists in the domain.

Config

Grants specific to global config

Global ACL

Administrator rights for all entries in a target type. For example, you could add an ACE to the Global Access Control List (ACL) that grants the right to create accounts on domains.

Delegated administrator accounts that are granted this right can create accounts in all domains in the system.

Server

Server entry

Zimlet

Zimlet entry

Target Type	Description of Target Scope
Account	An account entry (a specific user)
Calendar Resource	A calendar resource entry
COS	COS entry
Distribution List	Includes the distribution list and all distribution lists under this distribution list. If the right is applicable to accounts and calendar resources, all accounts and calendar resources that are direct or indirect members of this distribution list.
Domain	Applicable to a specific domain, not to any sub-domains. Sub-domains must be explicitly marked as targets. When domain is the target, the rights are granted for all accounts, calendar resources and distribution lists in the domain.
Config	Grants specific to global config
Global ACL	Administrator rights for all entries in a target type. For example, you could add an ACE to the Global Access Control List (ACL) that grants the right to create accounts on domains. Delegated administrator accounts that are granted this right can create accounts in all domains in the system.
Server	Server entry
Zimlet	Zimlet entry