Delegated Admin Provisioning Zextras Admin

By adminUncategorized
What exactly is Delegated Administration Provisioning?

The collection of actions that allows you to give, update, and remove Domain Admin access to a user is known as Delegated Admin Provisioning.

All Delegated Admin Provisioning procedures are available

  • The Administration Zimlet’s Zextras Admin tab
  • Running the required zxsuite command as the zimbra user from the CLI
Giving a User Delegated Admin Rights

Zimlet from the Administration

Click the Add button in the Delegated Admins section of the Zextras Admin tab in the Administration Zimlet.

You will be asked to provide the following information:

  • Account: The email account to whom Delegated Admin access should be granted.
  • Domain: The domain over which the Delegated Administrator will have authority
  • Check this box to grant the Delegated Admin access to the View Mail functionalities on any mailbox in the chosen domain.
  • The maximum mailbox quota that this Delegated Admin can assign to a user.
  • Edit Features: This option specifies whether the Delegated Admin may change the contents of the Features page for its assigned users.

According to the CLI

To provide a user Delegated Admin permissions, use the doAddDelegationSettings command.

Changing the Rights of an Existing Delegated Administrator

Zimlet from the Administration

Select an entry from the list in the Delegated Admins section of the Zextras Admin tab in the Administration Zimlet and click the Edit button.

You may also modify an entry in the list by double clicking it.

According to the CLI

Use the doEditDelegationSettings command to modify the rights of an existing Delegated Admin.

Management of Quotas

What exactly is quota management?

The Global Administrator can use Zextras Admin to define two types of quota limits: the Grant Limit and the Domain Quota.

Because neither the Domain Quota nor the award Limit are required, a Delegated Admin can award any quota to a user and a domain can have no maximum quota limit.

The Grant Capacity

A Delegated Admin’s Grant Limit is one of its attributes.

It indicates the maximum mailbox quota that the Delegated Admin can provide to a mailbox and is configurable in the Delegated Admin’s settings.

There are three options:

  • None: The Delegated Admin cannot change a mailbox’s Quota property.
  • Custom: The Delegated Admin has the ability to grant up to the given value. This takes precedence over any domain/COS quota settings.
  • Unlimited: The mailbox can be assigned any quota by the Delegated Admin. This takes precedence over any domain/COS quota settings.
The Domain Limit
give Limit versus Domain Quota is a property that determines the maximum mailbox quota that any Administrator can give to a mailbox in the domain.
On a restricted basis, the Grant Limit and Domain Quota attributes are mutually exclusive.

This implies that the following possibilities are possible:
  • A Global Admin provides a user a quota that is more than the Domain Quota.
  • Because the Domain Quota applies to a specific domain rather than a specific Admin, the effective quota for the user will be the maximum allowed by the Domain Quota setting.
  • A Delegated Admin provides a user a quota that is more than the Domain Quota.
  • Even if the Delegated Admin’s Grant Limit is more than the Domain limit, the effective limit for the user will be the maximum quota permitted by the Domain Quota setting.
  • The Grant Limit of a Delegated Admin is less than the Domain Quota.
In this situation, even though the Domain Quota is larger, the highest quota that the Delegated Admin can award to a user is the one indicated by the award Limit. A Global Admin who is not constrained by any Grant Limit limitation will be able to allocate any mailbox quota to the user up to the Domain Quota limit.
Domain Restrictions
What exactly is Domain Limit Management (also known as Domain Settings)?
The Zextras Admin module includes Domain Limit Management. It enables a Global Administrator to set domain-level limitations that no Administrator may violate.

The only method to go over a Domain Limit is to modify the Domain Limit.
Domain Restrictions
  • The maximum number of accounts that may be established on this domain is known as the global account limit.
  • Domain Quota: The maximum mailbox quota that any Administrator can assign to a domain mailbox.
  • COS Limits: Specify which Classes of Service are available to domain users and the maximum number of users per Class of Service.
Edit Domain Limits from the Administration Zimlet

All domains in the Zimbra infrastructure are included in the Domain Settings list in the Administration Zimlet’s Zextras Admin page.

To change the domain restrictions, choose the domain from the Domain Settings list and click the Edit option.

According to the CLI

The setDomainSettings command is used to edit the domain restrictions via the CLI.

Reset Domain Limits from the Administration Zimlet

All domains in the Zimbra infrastructure are included in the Domain Settings list in the Administration Zimlet’s Zextras Admin page.

To reset a domain’s limitations, pick it from the Domain Settings list and hit the Reset button, then OK in the confirmation pop-up.

According to the CLI

To reset a Domain’s limitations using the CLI, use the resetDomainSettings command:

Accessing the Zimbra Administration Console as a Delegated Admin Zimbra Administration as a Delegated Admin

To access the Zimbra Administration Console, use a web browser to connect to port 7071 of your mailserver and login using your Zimbra credentials.

For example, https://mail.example.com:7071

Admin Delegated CAN and CAN’T Table

Here’s a short rundown of what a Delegated Admin CAN and CAN’T accomplish using the Zextras Admin module.

Manage: Overview of the Zimbra Administration Console for Delegated Admins

  • Accounts: Manage any domain’s accounts for whom delegated admin permissions have been granted.
  • Aliases: Manage Aliases for any domain account for which delegated admin permissions have been granted.
  • Distribution Lists: Manage the Distribution Lists for any domain that has been assigned admin permissions.
  • Manage the Resources for any domain for which delegated admin permissions have been given.
  • View the settings of any domain for which delegated administrative powers have been given.
  • Search: Conduct sophisticated searches.
  • The Zextras Suite
  • Zextras Mobile: Manage the synchronisation of mobile devices and clients from any domain where admin privileges have been delegated.
  • “Zextras Admin: View the list of Delegated Admins for any domain that has been granted delegated admin rights, as well as quota usage information.”
  • Search Bar: Use this to do fast searches.

Log out of the Zimbra Administration Console, [username].

Delegated Admin Log Browsing Describe Delegated Admin Log Browsing

A Global Admin may simply keep track of all Admins’ activity using the Zextras Admin’s search-based graphical log viewer.

The Admin Log Browser for Zextras

The Zextras Admin Log Browser may be accessed by selecting Browse Logs on the Administration Zimlet’s Zextras Admin tab. The Filter Log dialogue box will appear, allowing you to apply filters to the logs you want to view.

The following filters are available:

  • Fundamental filters
  • Admin: Filter the logs so that only operations conducted by a particular Domain Admin are displayed.
  • Filter the logs to only show one specific activity. The possible actions are shown below.
  • Filters for advanced users
  • Client IP: Filters logs to display only activities conducted from a certain IP address.
  • Display Logins: Select this option to display when Domain Administrators log in to the Zimbra Web Client.
  • The result is that the logs are filtered to reveal either all operations, successful operations, or unsuccessful operations.
  • Start and End: Limits the logs displayed to a given time period (the default is the current day).
  • When you click the Details button, the specified filters are applied and the log browser is displayed.
The filter for Action

Any action that an Administrator may do is accessible in the Action filter’s drop-down menu.
All of these processes are necessary to keep track of your administrator’s activity and address problems.
  • All ZWC authentications are handled by Auth.
  • DelegateAuth: All Delegated Authentications, which may be accessed using the View Mail button or the -z option of the zmmailbox command.
  • All account creations are handled by CreateAccount.
  • DeleteAccount: Deletes all accounts.
  • Set Password: Changes the password for all mailboxes.
  • RemoveAccountAlias: Deletes all aliases.
  • DeleteDistributionList: Deletes all distribution lists.
Zextras Admin Monthly Reports Reports and Information
The Zextras Admin module features a highly handy Monthly Reports feature that allows Global Administrators to keep track of Delegated Admin actions as well as domain status for a given month.

How does the Monthly Report system function?
The Zextras Admin module generates a report based on the data collected in the Zextras Admin Log on the first of each month.
How to Use the Administration Zimlet to Get Monthly Reports
To view the Monthly Reports, go to:
  • Log in as a Global Admin to the Zimbra Administration Console.
  • Click the Monthly Reports button in the top-right corner of the Administration Zimlet’s Zextras Admin tab.
  • Choose the month you want to view and then click Show Report.
According to the CLI
Use the getMonthlyReport command to view the Monthly Reports from the CLI.
Reports in Parts
Use the doMonthlyReport command to generate a partial report for the current month.
The Path to the Zextras Admin Log
All monthly reports, as well as the logs needed to build the Monthly reports and offer information via the Admin Log Browser feature, are stored on a path within the /opt/zimbra/conf/ folder (default /opt/zimbra/conf/zextras/zxadmin/). This default route was chosen since it is the only one that CANNOT be erased after a Zimbra upgrade.

The Path Structure and Contents of the Zextras Admin Log
The Zextras Admin log path consists of a single directory that contains the following files:
One or more YYYY_MM files containing logs for the month named in the file.

0 or more YYYY_MM.report files carrying the monthly report for the month named in the file.

Zero or more YYYY_MM.X files holding incomplete logs for the month named in the file. When the Zextras Admin Log Path is changed, these files are produced.

Changing the Path of the Zextras Admin Log
To update the Zextras Admin Log Path securely, follow these steps:

Make the following folder to hold the logs:
  • The folder must be owned by zimbra:zimbra.
  • The ‘zimbra’ user must be granted read and write access to the folder.
  • The folder must be completely empty.
  • Log in as a Global Admin to the Zimbra Administration Console.
  • In the Administration Zimlet, navigate to the Zextras Admin tab.
  • Click the Change button near the Admin Log Path line in the Basic Module Configuration section.
  • Enter the new route and press the Change route button.
  • If no errors are displayed, copy the whole contents of the previous log path.
  • Enter the new route and press the Change route button.
  • If no errors are displayed, copy the whole contents of the previous log path.
  • It’s usual to only see.report and.X files in the previous log directory, because the current log file will be given the.1 suffix to indicate that it’s a partial. The extension number of any previous.X files will be incremented by one.
Reset Configuration
What exactly is a Zextras Admin Configuration Reset?
The Zextras Admin Configuration Reset is a free Zextras Admin module feature that allows a Global Administrator to entirely remove all delegation privileges from the server.
This is not a rollback feature that clears the settings of the Zextras Admin module. Zextras Admin and Zimbra delegation permissions will be affected if the Admin Configuration is reset.
What exactly does the Admin Configuration Reset do?
The Admin Configuration Reset deletes the following settings:

For all accounts on the server, the isDelegatedAdmin account property.

Every Access Control Entry and every Access Control List for
  • Users
  • Domains
  • Service classifications
  • Configuration at the local level
  • Configuration of the server
  • Zimlets
When should I perform an Admin Config Reset?
The Admin Config Reset should be used only in the following situations:

To thoroughly restore a damaged condition

If one or more incorrect ACL or ACE settings are causing your Zimbra Administration Console to be unstable or not display properly (e.g., showing a blank page or missing one or more UI components), utilise the Admin Configuration Reset as a last resort.

If you intend to discontinue utilising the Zextras Admin module,

Even if no valid Zextras Suite licence is in use, the reset option is accessible. Keep in mind that this will also remove any manually configured Delegation settings.
Delegation options.

What is the purpose of the Admin Configuration Reset?
Simply execute the following CLI command to reset the Admin Delegation configuration:

doDeleteAllDelegatedRights zxsuite core

To avoid inadvertent command execution, you will be prompted to input a confirmation string.
Zextras Administration CLI
The index of all zxsuite admin commands may be found in this section. Full documentation is available in the dedicated section ZxAdmin CLI Commands.
addDelegationSettings, edit DelegationSettings, and export QuotadoRepairAdmin doRestartService doSetZimletRights doMigrateAdmin doMonthlyReport doRemoveDelegationSettings doRepairAdmin doRestartService doSetZimletRights  doShowAdminActivity doStartService doStopAllOperations doStopOperation doStopOperation doStopService  getAllOperations  getDelegationSettings  obtainDomainSettings obtainMonthlyReport  getProperty  reset the getServices monitorDomainSettings propertyDomainSettings property

Leave a Reply

Your email address will not be published. Required fields are marked *