The Zimbra Network Edition NG module enables a Zimbra Global Admin to create Domain Admins right from the Admin Console. But suppose you want to create a more limited or customized delegated admin account, say, to perform password resets only?
To do that, we need to go to the command line.
Let’s say you have a user “email@example.com” and you want to give this person access to the Zimbra Admin Console with rights only to change other user’s passwords. To do so, we just need to run the following commands:
zmprov ma firstname.lastname@example.org zimbraIsDelegatedAdminAccount TRUE zmprov ma email@example.com zimbraAdminConsoleUIComponents accountListView zmprov grr domain mydomain.com usr firstname.lastname@example.org changeAccountPassword zmprov grr domain mydomain.com usr email@example.com listAccount zmprov grr domain mydomain.com usr firstname.lastname@example.org countAccount
Prior to NG Admin, Zimbra’s Admin Console contained wizards and other visual elements to create Delegated Admins with really granular permissions. But it was a very complex process, because not only did you need to give a user (or a distribution list; more on that later…) permissions to do things, you also had to give them permission to see those pieces of the Admin Console which would enable them to do the things you wanted them to be able to do. If they had the rights to do something, but they didn’t have access to the portions of the Admin Console necessary to do that thing, they would be stuck. And if you gave a user rights to see more of the Admin Console than they needed, when they poked around, they would get popup errors.
If you run “zmprov gar -c ALL”, you’ll see that there are nearly 450 of these permission and view rights. So Zimbra did two things to try to simplify this powerful but complex framework.
First, Zimbra enabled you to designate a Distribution List as a Domain Admin Group. In this way, you would apply rights to to the Distribution List, and once you got things the way you wanted them, you could just add users to the Distribution List and the DL members would then inherit the Delegated Admin rights assigned to the DL. Neat! In fact, large companies with multiple Help Desk tiers still use this technique to create really granular Delegated Admins that adhere to the very appropriate “Least Use Access” security model.
The second thing Zimbra did was add a bunch of Wizards and other GUI components to the Admin Console so that a Global Admin could create Delegated Admins and Delegated Admin Groups (DLs) straight from the Admin Console.
For better or worse, the GUI administration capabilities for Delegated Admins are gone as they conflict with NG Delegated Admin, but the command line components still exist, and you can still use them.
To create a Distribution List as a Delegated Admin Group so that users who are made members of the Distribution List then inherit the rights assigned to the Distribution List, first create a new Distribution List and run:
zmprov mdl email@example.com zimbraIsAdminGroup TRUE
… and then assign the above permissions (with slightly altered syntax, since you are assigning rights to the DL and not to a user). Make your chosen users members of this DL and… Voila! Those users are now Delegated Admins.
If you need help with developing custom Delegated Admin roles, please get in touch using the following form:
Hope that helps,
L. Mark Stone
Mission Critical Email LLC
26 May 2022
The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone personally. The contents of this site are not intended as advice for any purpose and are subject to change without notice. Mission Critical Email makes no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.