I couldn't find any documentation on this, so I had to do some digging and some tinkering, and this is what I ended up needing to set up to get this working. We have some users who are specifically assigned to correspond with specific customers (CRMs, basically) but sometimes they go on vacation. When they do, we have requests for other CRMs to get full access to their accounts, temporarily. It also works for executive assistants who are managing things for their bosses.
Here're the rights it appears I need to delegate to make viewMail work *only* for one targeted user:
Code:
Grantee Name | Target Name | Target Type | Right Name
listWithPrivs@example.com | userToBeRead@example.com | account | adminLoginAs
listWithPrivs@example.com | userToBeRead@example.com | account | listAccount
listWithPrivs@example.com | userToBeRead@example.com | account | getAccount
listWithPrivs@example.com | userToBeRead@example.com | account | getAccountInfo
listWithPrivs@example.com | userToBeRead@example.com | account | getAccountMembership
listWithPrivs@example.com | userToBeRead@example.com | account | getMailboxInfo
listWithPrivs@example.com | userToBeRead@example.com | account | viewAccountAdminUI
listWithPrivs@example.com | globalacltarget | global | listDomain
listWithPrivs@example.com | globalacltarget | global | listAccount
And the user has to be an administrator. We also needed to set up the zimbraWebClientAdminReference because we have proxy servers, and the zimbraPublicServiceHostname to make sure the proxy servers were what we got directed back to when clicking the ViewMail button.
It is possible I've given one or two rights extra, but we're under sufficient time constraints that I couldn't just add them one at a time. We have pretty much proven to our satisfaction that they can *only* log in to the targeted user account, and not any others, which is the main concern here. And this way, we have no sharing of passwords.
Bugzilla
Wiki
Source
Rights delegation for users 
Linear Mode
