Delegated Admin Provisioning: What Is It?
The collection of actions known as “Delegated Admin Provisioning” enables you to give, update, and cancel a user’s Domain Admin permissions.
You can carry out each Delegated Admin Provisioning operation:
- from the Administration Zimlet’s Zextras Admin page.
- executing the relevant zxsuite command under the zimbra user from the CLI
Giving a User Delegated Administrator Rights Through the Administration Zimlet
Click the Add button in the Delegated Admins section of the Zextras Admin tab in the Administration Zimlet.
You will be asked to provide the following details:
- Account: The email account to whom Delegated Admin access should be granted.
- Domain: The domain that will be under the Delegated Admin’s management.
- Check this box if you want the Delegated Admin to be able to access any mailbox in the chosen domain and utilise the View Mail functionality.
- Maximum mailbox allocation that this Delegated Admin may give a user.
- Whether the Delegated Admin is permitted to alter the information on the Features page for the assigned users is determined by the alter Features setting.
Using the CLI
Use the doAddDelegationSettings command to provide a user Delegated Admin privileges.
Editing a Delegated Admin’s Existing Rights
Extracted from the Administration Zimlet
Select one entry in the list and click the Edit button in the Delegated Admins section of the Zextras Admin tab in the Administration Zimlet.
Additionally, you may change a list item by double clicking on it.
Using the CLI
Use the doEditDelegationSettings command to change an existing Delegated Admin’s privileges.
Removing a User’s Delegated Admin Rights from the Administration Zimlet
Select one entry from the list in the Delegated Admins area of the Zextras Admin Tab in the Administration Zimlet, and then click the Delete button.
Using the CLI
Use the doRemoveDelegationSettings command to remove a user’s Delegated Admin privileges:
Limit Management
Quota Management: What Is It?
The Grant Limit and the Domain Quota are two separate types of quota limitations that may be set by the Global Administrator using Zextras Admin.
A Delegated Admin may award any quota to a user, and a domain may not have a maximum quota limit because neither the Domain Quota nor the award Limit are required.
The Grant Cap
One of a Delegated Admin’s attributes is the Grant Limit.
It may be set and modified in the Delegated Admin’s settings and describes the maximum mailbox quota that the Delegated Admin can provide to a mailbox.
There are three possibilities:
- None: The mailbox’s quota property cannot be changed by the Delegated Admin.
- Custom: The Delegated Admin may grant permissions up to the given amount. Any domain/COS quota settings are overridden by this.
- Unlimited: The mailbox may receive any quota from the Delegated Admin. Any domain/COS quota settings are overridden by this.
Using the Domain Quota
The maximum mailbox quota that any Administrator may allot to a mailbox in the domain is specified by the domain attribute known as “Domain Quota.”
Domain Quota vs. Grant Limit
On a restricted basis, the features of the Grant Limit and Domain Quota are mutually incompatible.
This implies that the following situations might take place:
- A user is given a quota that is more than the permitted Domain Quota by a Global Admin.
- The effective quota for the user will be the highest quota permitted by the Domain Quota setting since the Domain Quota applies to a specific domain rather than a specific Admin.
- A user is given a quota by a Delegated Admin that is more than the permitted Domain Quota.
In this situation, even if the Delegated Admin’s Grant Limit is more than the Domain Quota, the effective quota for the user will be the highest quota permitted by the Domain Quota setting.
A user is given a quota by a Delegated Admin that is more than the permitted Domain Quota.
In this situation, even if the Delegated Admin’s Grant Limit is more than the Domain Quota, the effective quota for the user will be the highest quota permitted by the Domain Quota setting.
The Domain Quota exceeds the Grant Limit for a Delegated Admin.
In this scenario, even if the Domain Quota is larger, the maximum quota that the Delegated Admin may award to a user will be the one determined by the award Limit. Up to the amount permitted by the Domain Quota, a Global Admin, who is not constrained by any Grant Limit restrictions, is free to assign any mailbox quota to the user.
Domain Capacity
What is Domain Settings (also known as Domain Limit Management)?
The Zextras Admin module has a function called Domain Limit Management. It enables a Global Administrator to impose domain-level restrictions that no other Administrators are permitted to exceed.
A domain limit may only be exceeded by changing the domain limit itself.
Domain Caps: The maximum number of accounts that may be established on this domain is called the global account limit.
The largest mailbox quota that any administrator may allot to a domain mailbox is known as the domain quota.
COS Limits: Specify the Classes of Service that users within the domain may use as well as the maximum number of users permitted for each Class of Service.
From the Administration Zimlet, Change a Domain’s Limits
The Domain Settings list on the Zextras Admin tab of the Administration Zimlet contains a list of every domain in the Zimbra infrastructure.
Select the domain from the list of domain settings, then click the alter button to alter the domain’s limitations.
Using the CLI
Use the setDomainSettings command in the CLI to modify a domain’s boundaries.
From the Administration Zimlet, Reset a Domain’s Capacity
The Domain Settings list on the Zextras Admin tab of the Administration Zimlet contains a list of every domain in the Zimbra infrastructure.
pick the domain from the list of domain settings, click the Reset button, and then pick OK from the confirmation pop-up to reset the domain’s limitations.
Using the CLI
Use the resetDomainSettings command in the CLI to reset a Domain’s boundaries:
Accessing the Zimbra Administration Console as a Delegated Admin for Zimbra Administration
Connect to port 7071 of your mailserver using a web browser, then log in using your Zimbra credentials to access the Zimbra Administration Console.
For instance, https://mail.example.com:7071
Table of Delegated Admin Can and Can’ts
Here is a brief reference list of what a Delegated Admin with the Zextras Admin module CAN and CAN’T accomplish.
Overview for Delegated Admins of the Zimbra Administration Console Manage:
- Manage the accounts for any domain for which you have been granted delegated admin permissions.
Manage the aliases for any domain for which you have been granted delegated admin capabilities.
Distribution Lists: In any domain for which delegated admin permissions have been given, manage the Distribution Lists that belong to that domain.
Manage the resources for any domain for which you have been granted delegated admin permissions.
- View any domain’s setup for which delegated admin permissions have been granted by configuring it.
- Search: Execute sophisticated searches.
- Suite Zextras
- Zextras Mobile: Control how clients and mobile devices from any domain for which delegated admin permissions have been given are synced.
Zextras Admin: View the list of Delegated Admins belonging to any domain for whom Delegated Admin powers have been given, together with information on quota consumption.
Search using the search bar quickly.
Log out of the Zimbra Administration Console, [username].
What is Delegated Admin Log Browsing and how does it work?
Through a search-based graphical log viewer, the Zextras Admin enables a Global Admin to effortlessly keep track of all Admins’ activity.
The Admin Log Browser for Zextras
Clicking Browse Logs on the Administration Zimlet’s Zextras Admin tab will take you to the Zextras Admin Log Browser. You may add certain filters to the logs you want to browse using the Filter Log pop-up dialogue, which will then open.
The filters that are available are:
- simple filters
- Admin: Filter the logs so that only actions taken by a particular Domain Admin are visible.
Filter the logs so that you can only see one specific activity. The options are shown below.
superior filters
Client IP: Limits the actions recorded in the logs to those coming from a certain IP address.
Display Logins If you want to display when domain administrators access the Zimbra Web Client as well, select this option.
Results: Filters the logs to display just successful or unsuccessful operations, or all operations.
Start and End: Restricts the time range for which the logs are displayed (by default, the current day).
The specified filters will be applied when you click the Details button, and the log browser will appear.
Using the Action filter
In the Action filter’s drop-down menu, every action an Administrator may do is listed.
For the purposes of tracking your admin’s activities and troubleshooting problems, all of these steps are crucial.
- All ZWC authentications are accepted.
- DelegateAuth: Any delegated authentications made using the -z option of the zmmailbox command or the View Mail button.
- CreateAccount: All new accounts.
- DeleteAccount: Any account erasures.
- Set Password: All changes to the mailbox password.
- RemoveAccountAlias: Elimination of all aliases.
- DeleteDistributionList: All removals from distribution lists.
- Information and Reports Zextras Admin Monthly Reports
- A highly helpful Monthly Reports feature that is part of the Zextras Admin module lets Global Administrators monitor both Delegated Admin activities and domain status for a certain month.
- What is the operation of the Monthly Report system?
- The Zextras Admin module automatically generates a report on the first of every month using the information found in the Zextras Admin Log.
- Included in this monthly report are:
How to Use the Administration Zimlet to Access the Monthly Reports
The Monthly Reports are available here:
- As a Global Admin, log into the Zimbra Administration Console.
- Click the Monthly Reports button in the top-right corner of the page on the Zextras Admin tab of the Administration Zimlet.
- Click Show Report after selecting the month you want to view.
Using the CLI
Use the getMonthlyReport command in the CLI to view the monthly reports.
How to Use the Administration Zimlet to Access the Monthly Reports
The Monthly Reports are available here:
Uncompleted Reports
Use the doMonthlyReport command to generate a partial report for the current month.
The path of the Zextras admin log
The Zextras Admin Module keeps the monthly reports in a path inside the /opt/zimbra/conf/ folder (by default /opt/zimbra/conf/zextras/zxadmin/), along with the logs needed to create the monthly reports and to give information through the Admin Log Browser feature. Because it is the only directory that CANNOT be removed during a Zimbra upgrade, this specific default path has been selected.
Path and Contents of the Zextras Admin Log
The following files are located in the flat directory that makes up the Zextras Admin log path:
- one or more YYYY_MM files that include the logs for the month that the file bears its name.
- The monthly report for the file’s name-bearing month is included in 0 or more YYYY_MM.report files.
- There are zero or more YYYY_MM.X files that contain incomplete logs for the month the file is named after. When the Zextras Admin Log Path is changed, these files are generated.
Zextras Admin Log Path Modification
- Use these procedures to securely alter the Zextras Admin Log Path:
- Make the folder where the logs will be kept:
- The ownership of the folder must be zimbra:zimbra.
- The folder has to be accessible to the ‘zimbra’ user with read and write privileges.
- A blank folder is required.
- As a Global Admin, log into the Zimbra Administration Console.
- In the Administration Zimlet, select the Zextras Admin tab.
- Click the Change button next to the line for the Admin Log Path in the Basic Module Configuration section.
- Click Change Path after entering the new path.
- Move the whole contents of the old log path if there are no errors visible.
- The current log file will be given the.1 extension to designate it as a partial, therefore it’s completely normal to just see.report and.X files in the previous log directory. Any earlier.X files will have a 1. increase in their extension number.
Reset Configuration
The Zextras Admin Configuration Reset: What is It?
One can entirely delete all delegation permissions from the server using the free Zextras Admin Configuration Reset function of the Zextras Admin module.
This is not a rollback feature that clears the settings of the Zextras Admin module. Both Zextras Admin and Zimbra delegation permissions will be impacted by resetting the admin configuration.
What is cleared by the Admin Configuration Reset?
The following configurations are removed by the admin configuration reset:
All accounts on the server’s isDelegatedAdmin account property
Each and every Access Control List and Entry for
- Users
- Domains
- categories of services
- regional setting
- Configuring the server
- Zimlets
The Admin Config Reset should I use it when?
Only the following circumstances warrant using the admin configuration reset:
- to fully restore a precarious condition
- Use the Admin Configuration Reset as a last resort if incorrect ACL or ACE settings are the root cause of your Zimbra Administration Console’s instability or improper presentation (e.g., showing a blank page or lacking one or more UI components).
Even if there isn’t a current Zextras Suite licence, the reset option is still accessible. Keep in mind that this will also remove any Delegation settings that were manually specified.
The Admin Configuration Reset: How Do I Use It?
Simply execute the following CLI command if you truly wish to reset the Admin Delegation configuration:
doDeleteAllDelegatedRights in zxsuite core
To prevent any unintentional usage of the command, you will be prompted to provide a confirmation string.
CLI for Zextras Admin
The index of all zxsuite admin commands may be found in this section. Full documentation is available in the area specifically devoted to ZxAdmin CLI Commands.
doEditDelegationSettings, doExportQuota, doAddDelegationSettingsHistory dmAdminmigrate dmMonthlyReport dmRemoveDelegationSettings dmRepair dmRestart dmSetZimletRights doStartService, doShowAdminActivity, doStopAllOperations, doStopOperation, and doStopService getAllOperations getDelegationSettings obtain Domain Settings obtain Monthly Report getProperty reset Services monitorsetDomainSettings setProperty Domain Settings