ZCS Administrator's Guide Network Edition 6.0, Rev 1

How Delegated Administration Rights are Granted

Selecting Target Types

Rights

Delegated administration provides a way to define access control limits on targets and grant rights to administrators to perform tasks on the target.

Selecting Target Types

A target is a ZCS object on which rights can be granted. Each target is associated with a target type that identifies the type of access control entries you can grant on the target. When selecting a target type for a target consider:

•	Which specific target (ZCS object) are you configuring?

•	Have you chosen the correct target type for the rights you want to grant?

•	What is the scope of targets in which granted rights are effective?

Selecting a Target

Which specific target are you granting rights? For example, if the target type you select is “domain”, which domain do you mean? You specify a specific domain’s name (Target Name = example.com). ACEs are granted on that target.

Do the Rights Work with the Target Type

Is the right you want to grant applicable to the selected target type? A right can only be applied on the type or types of object that are relevant to the target type.

For example, creating an account can only apply to a domain target type and the setting passwords can only apply to accounts and calendar resources target types. If a right is granted on a target that is not applicable to the target, the grant is ignored.

Scope of Rights Across Selected Target Type

When defining rights, you need to consider the scope of targets in which granted rights are effective. Domain targets can include account, calendar resource, and distribution list rights, as well as specific rights on the domain. For example, the right to set the password is applicable only to accounts and calendar resources, but if this right is included in the domain targets list of rights, it is effective for all accounts or calendar resource in the domain.

 

Target Type	Description of Target Scope
Account	An account entry (a specific user)
Calendar Resource	A calendar resource entry
COS	COS entry
Distribution List	If the right is applicable to distribution lists, the distribution list and all distribution lists under this distribution list. If the right is applicable to accounts and calendar resources, all accounts and calendar resources that are direct or indirect members of this distribution list.
Domain	Domain entry is only applicable to a specific domain, not to any sub-domains. Sub-domains must be explicitly marked as targets. When domain is the target, the rights granted can be given for all accounts, calendar resources and distribution lists in the domain.
Config	Grants specific to global config
Global ACL	The global ACL is used to grant administrator rights for all entries in a target type. For example, you could add an ACE to the Global ACL that grants the right create accounts on domains. Delegated administrator accounts that are granted this right can create accounts in all domains in the system.
Server	The server entry
Zimlet	A Zimlet entry

Rights

Rights are the functions that a delegated administrator can or cannot perform on a named target. Right types can be either system-defined rights or attribute rights.

System-defined rights

Four types of system defined rights can be granted: preset, setAttrs, getAttrs, and combo.

•	Preset rights (preset) are described as:

•	Having predefined, fixed implication on targets. For example, createAccount creates and account; renameDomain, renames the domain.

•	Associated with a fixed target type. For example, createAccount is a right only on a domain; renameAccount is a right on an account; see Server is a right on a server

•	Independent of other rights on the same target. No other rights are required to administer that action on the target.

•

Possibly requires granting rights on multiple targets in order for the right to be valid. If the right involves accessing multiple targets, the grantee needs to have adequate rights on all pertinent targets. For example, to create an alias for an account, the grantee must have rights to add an alias to an account and to create an alias on a domain.

•	The set attribute (setAttrs) rights allows the domain administrator to modify and view an attribute value. For example, the modifyAccount right would allow the domain administrator to modify all attributes of the account.

•	Get attribute rights (getAttrs) lets the domain administrator view an attribute value. For example, the getAccount right would show all the attributes for a user’s account.

•	Combo right is a right that contains other rights. Combo rights can be assigned to any target type.You can use combo right to grant multiple attribute rights quickly on targets.

System rights are listed and described in the Rights folder in the administration console Overview pane.

You can use the Rights folder to help you define which system-defined rights to grant to delegated administrators. This folder displays the name of the right, the target types associated with that right, the right type and a brief description.

System-Defined Rights List on Administration Console

When you select a right on the page and click on it, another page displays more information

•	For combo rights, a list of the rights associated with the combo right are listed

•	For the other system rights, a list of attributes associated with the right are listed

Detailed View of Combo Rights

System-defined rights can be granted as positive or negative rights. This lets you negate some right from a combo right or attributes from the other system-defined rights.

Attribute Right

An attribute right is specific to a defined attribute. Granting rights at the attribute level allow a delegated administrator/administrator group to modify or view (or not modify or view) a specific attribute on a target.

The specific attribute being granted is configured on the target and the type of permission, read (get) or write (set), is specified. To create an ACE based on an attribute right:

•	Select the target to add the ACE.

•	Select the delegated administrator as the Grantee Name.

•	Select Attribute Right instead of System-Defined Right.

•	Select whether the grant should be to Read (view) or Write (view and change).

•	Select the attribute target type.

•	Type the attribute name. As you do this the Right name is automatically entered in the text field.

Note: If you want to see a list of all the attributes, use the zmprov desc CLI. Note that this list contains attributes that cannot be granted as rights.

•	Select whether this is a positive or negative right.

The example below is adding the right to view the status of accounts on a domain.

Attribute rights can be granted in any combination of attributes to grant positive or negative rights. This lets you negate some attributes from a grant.

Positive or Negative Rights

Rights can be either positive or negative. Negative rights are rights specifically denied to a grantee. The purpose of a negative right is to partially negate rights granted to a wider scope of grantees or granted on a wider scope of targets. For example, delegated admin1 has been granted rights to view all accounts, except for the CEO and CFO accounts. The rights to view accounts for these two accounts would be negative rights.

ZCS Administrator's Guide Network Edition 6.0, Rev 1