ZCS Administrator's Guide 8.0.4
ZCS Administrator's Guide 8.0.4
Network Edition

Delegated Administration > Creating Delegated Administrator Roles

Creating Delegated Administrator Roles
Manage multiple domains
To have one domain administrator manage more than one domain, you assign the rights to manage individual domains to the administrator account or administrator group.
For example, to set up domanadministrator1@example.com to manage domainexample1 and domainexample2.com. Create a new administrator account on one of the domains to be managed.
For Right Name type, adminConsoleAccountRights. Is Positive Right should be selected.
Click Add and More
The Add ACE page displays again and the Right Name field is empty. Type, adminConsoleDLRights and click Add and More.
After the last right, click Add and Finish. The Configure the Grants dialog displays these rights associated with the target domain. If you are adding another domain to manage, click Add and More. Repeat Step 4. If not, click Finish.
Manage Distribution Lists
To assign a user to manage a distribution list, you create a distribution list and enable Admin Group, select the view, grant the distribution list rights, add the user to the list and make that user an administrator.
Go to the Admin Views page and check Distribution List View so the admin can view the distribution list.
Click Save.
In the Configure Grants page, add the following rights.
Change Passwords
To create delegated administrators who only change passwords, you create the admin or admin group, select the views and grant the taskSetPassword combo right.
Account List view to be able to select accounts to change passwords
Alias List view to be able to find users who use an alias instead of account name.
View Mail Access Right
View Mail access right can be granted on accounts, domains, and distribution lists.
*To deny the View Mail right on the target, check the box for Is Negative Right (Deny)
To prevent administrators from viewing an account with a domain or distribution list, assign the Is Negative Right to the account.
Manage Class of Service Assigned to Users
You can expand the domain administrator role to be able to view and change the class of service (COS) assigned to a user. To add the rights to manage the COS for a domain, add the following rights to the domain administrator account or domain administrator admin group.
Add the System Defined Rights to each COS in the domain.
Verb: Write
Manage Cross Mailbox Search
This role creates a delegated administrator role that can run the Search Mail tool to search mail archives or live mail for accounts. This also allows the administrator to create, abort, delete, purge or get status of a cross mailbox search request.
For full functionality, this role includes the ability to create new accounts so that the admin can create the target mailbox to receive the search results. If you do not want this role to have the ability to create accounts, grant the following negative right as well.
*To deny the Create Account right on the target, check the box for Is Negative Right (Deny)
If you want this admin to also view the target mailbox with the results of the cross mailbox search, grant the right to view that mailbox only.
Manage Zimlets
This role creates a delegated administrator role that can create, deploy and view Zimlets.
Manage Resources
This role creates a delegated administrator that can create and manage resources.
Access to the Saved Searches
This role creates a delegated administrator that can access all the searches saved in the administration console Navigation pane, Search section.
Access to the Server Status Pages
This role creates a delegated administrator that can access the Server Status page. In addition to granting this right, you must also select the Admin View, Global Server Status View.
Accounts that are configured as global administrator accounts cannot be granted ACLs. Global administrator accounts automatically have full rights on ZCS. If an ACL is added to a global administrator account, it is ignored. If a delegated administrator account is changed to a global administrator account, any ACLs associated with the account are ignored.
Copyright © 2013 VMware Inc.