Results 1 to 2 of 2

Thread: Rights delegation for users

  1. #1
    juniper is offline Active Member
    Join Date
    Feb 2009
    Posts
    28
    Rep Power
    6

    Default Rights delegation for users

    With the ZImbra 6.0 administrative rights delegation, I was hoping a problem we were working on had been solved, namely the ability to give users the ability to log into *specific* other user accounts without sharing a password. (We have some shared accounts that previously had shared passwords that had to be changed when a user left the company.)

    Thus far, I've been able to successfully give a user:
    * account list view (and the ability to log in to the administration console)
    * adminLoginAs

    But they are currently unable to *see* the account, so they can't get the View Mail button.

    What privilege am I missing? I went digging through the Delegated Administration chapter of the Admin Guide 6.0, and it implied that those were the only privs I needed to give, but the example I was following was for a Domain Admin, which isn't what I'm after at all.

  2. #2
    juniper is offline Active Member
    Join Date
    Feb 2009
    Posts
    28
    Rep Power
    6

    Default Answer: Rights delegation for individual users to read mailboxes

    I couldn't find any documentation on this, so I had to do some digging and some tinkering, and this is what I ended up needing to set up to get this working. We have some users who are specifically assigned to correspond with specific customers (CRMs, basically) but sometimes they go on vacation. When they do, we have requests for other CRMs to get full access to their accounts, temporarily. It also works for executive assistants who are managing things for their bosses.

    Here're the rights it appears I need to delegate to make viewMail work *only* for one targeted user:

    Code:
    Grantee Name              | Target Name              | Target Type | Right Name
    listWithPrivs@example.com | userToBeRead@example.com | account     | adminLoginAs
    listWithPrivs@example.com | userToBeRead@example.com | account     | listAccount
    listWithPrivs@example.com | userToBeRead@example.com | account     | getAccount
    listWithPrivs@example.com | userToBeRead@example.com | account     | getAccountInfo
    listWithPrivs@example.com | userToBeRead@example.com | account     | getAccountMembership
    listWithPrivs@example.com | userToBeRead@example.com | account     | getMailboxInfo
    listWithPrivs@example.com | userToBeRead@example.com | account     | viewAccountAdminUI
    listWithPrivs@example.com | globalacltarget          | global      | listDomain
    listWithPrivs@example.com | globalacltarget          | global      | listAccount
    And the user has to be an administrator. We also needed to set up the zimbraWebClientAdminReference because we have proxy servers, and the zimbraPublicServiceHostname to make sure the proxy servers were what we got directed back to when clicking the ViewMail button.

    It is possible I've given one or two rights extra, but we're under sufficient time constraints that I couldn't just add them one at a time. We have pretty much proven to our satisfaction that they can *only* log in to the targeted user account, and not any others, which is the main concern here. And this way, we have no sharing of passwords.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 8
    Last Post: 06-25-2012, 03:23 PM
  2. Delegation workaround for iCal 3 (OS X 10.5)
    By prebenu in forum CalDAV / CardDAV / iSync
    Replies: 0
    Last Post: 10-28-2009, 08:37 AM
  3. [SOLVED] cli for changing rights to existing shared folder
    By amarshall in forum Administrators
    Replies: 3
    Last Post: 03-25-2009, 07:42 AM
  4. Calendar Share Admin Rights
    By jars99 in forum Users
    Replies: 0
    Last Post: 08-08-2008, 02:13 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •