[SOLVED] Privacy and publishing free/busy

[ewilen]

I brought this up in a thread in another subforum (View just free busy as calendar?) but I'm afraid it might be buried there.

Basically it seems there are two ways to share your availability info with an external user. The first is to right-click on your calendar and share it through the dialog box. This lets the other party access your full calendar details, available in .html and .ics format.

The second way is to just point people to http://<zimbra_server_name>/home/<username>?fmt=freebusy This shows a monthly view of the start times when you're busy. Optionally you can terminate the URL with ?view=week&fmt=freebusy to see blocked out free/busy times for the week. Or you can terminate the URL with ?fmt=ifb to get .ifb format, usable by Outlook.

There are two problems with this. First, unless I'm mistaken, there's no way to restrict unauthenticated external access to free/busy on either a domainwide basis or account-by-account. On the surface it seems there's not a whole lot an outsider could do if they have access to your free/busy, but it still strikes me as something over which administrators and users would like to have control.

Second, assuming one were somehow to turn off external public access to free/busy, there's no facility, when sharing your calendar with an external user, to limit them to just your free/busy information.

This is really what I would like to be able to offer. An acceptable interim solution might be to just protect public free/busy with a common username/password. That way I could at least keep snooping strangers out while giving users a way to tell their colleagues how to access their F/B.

Is this already planned as an enhancement or should I file a bug report/RFE?

[ewilen]

Since no one has followed up in this thread, I've created Bug 35164 - greater control is needed over sharing calendar details and free/busy in bugzilla.

[ewilen]

My bug got marked as a duplicate of Bug 22913 - Access control for free busy and resources (ie permission to invite) and a related bug I filed was marked as a duplicate of Bug 34675 - empty "allow these users to invite me to meetings" field does not restrict scheduling

Between the information in these and some correspondence, I believe I've found the beginnings of a workaround, using zmmailbox.

The CLI command to prevent public access to free/busy for a given account is

zmmailbox -z -m <accountname> grp all viewFreeBusy

In theory this invisibly populates the "whitelist" found in Preferences>Calendar>Permissions, allowing access to free/busy for everyone on ZCS, while implicitly excluding public access.

However when I tried this I ran into some difficulties which I've described in greater length in Bug #22913, comment #104. Suffice it to say here that when I tried it under ZCS 5.0.12, I got an error until I first created a dummy entry within the GUI permissions, using the account itself as the entry. So if the account is username@zimbra.company.com, I go to Preferences>Calendar>Permissions and enter username@company.calendar.com in the Free/Busy permissions field. Then after saving Preferences, I execute the above CLI command.

There may be a simpler way of doing this purely via the CLI (thus opening the way to scripting), or the bug may already be fixed in code that hasn't yet been released.

[ewilen]

Quick followup: the issue in comment #104 turned out to be my error, but there are still issues with using the CLI which I brought up further down in the bugzilla entry.

At the same time, work has been reported under bug 34675 indicating that the web client permissions are being redesigned to make all of this easier for users to control.

I'm going to go ahead and mark this "solved" under the assumption that the remaining CLI issues can be worked around and the web client work will provide adequate user control once ZCS 5.0.14 comes out. (I'm running 5.0.12 right now.)