A full administrator can restrict the rights of other administrators (full and domain administrators) such that they will not be able to modify certain properties. Some examples which come to mind are: type of accounts that can be managed, the number of accounts that the domain administrator can create, the daily send out limit for the users or the maximum message size.
The new WebAdmin application enforces these restrictions based on the contents of the file IceWarp/mail/{domain_name}/{admin_account}/adminperm.dat
This is the recommended way of managing administrators' rights, starting with version 11.3 of IceWarp Server.
Domain Admin file – adminperm.dat
The full administrator needs to edit this file as per the following syntax manually:
This file contains serialized permissions object in XML format. This file can be used to define the access rights for full administrators and domain administrators. A full administrator should create a file adminperm.dat in the administrator account's root folder to be managed.
If the file adminperm.dat does not exist in an administrator's root folder, a full administrator has all the rights on all the domains and all the accounts. A domain administrator has all the rights on his own domain and the accounts therein.
Structure of the file adminperm.dat : It contains two tags: <domainspermissions> and <globalpermissions>.
<domainspermissions> defines the permissions for domains and accounts. Each item consists of <domainsset> and <domainsadministrativepermissions>. It is now possible to define for the same administrator (full or domain) different rights for the domains he is allowed to manage.
<domainsset> contains the list of domains that the administrator can manage. Each item consists of a domain mask and a negate parameter. The mask should contain a domain name. Wildcards * and ? are accepted. The parameter <negate>, when set to 1, implies that the particular domain is explicitly removed from the list of managed domains of this administrator.
Example:
<domainsset>
<item>
<mask>*</mask>
<negate>0</negate>
</item>
<item>
<mask>icewarp*</mask>
<negate>1</negate>
</item>
</domainsset>
This example illustrates a case where the administrator (full or domain) can manage all domains except those starting with IceWarp.
Example:
<domainsset>
<item>
<mask>domain1.com</mask>
<negate>0</negate>
</item>
<item>
<mask>domain2.com</mask>
<negate>0</negate>
</item>
</domainsset>
This example illustrates a case where the administrator (full or domain) can manage domain1.com and domain2.com.
<domainsadministrativepermissions> indicates the permissions on the properties of the allowed domains and accounts (as defined in domainsset)
Example:
<domainspermissions>
<item>
<domainsset>
<item>
<mask>icewarpdemo.com</mask>
<negate>0</negate>
</item>
</domainsset>
<domainsadministrativepermissions>
<accountsrelatedpermissions>
<item>
<prop>a_name</prop>
<!-- Disables editing of option A_Name for accounts in domains defined in domain set ( currently icewarpdemo.com ) -->
<perm>1</perm>
</item>
<item>
<prop>a_aliaslist</prop>
<!-- In future versions it will hide the option (no rights at all) -->
<perm>0</perm>
</item>
<item>
<prop>a_state</prop>
<!-- Allows editing of option A_State for accounts in domains defined in domain set -->
<perm>2</perm>
</item>
</accountsrelatedpermissions>
<domainrelatedpermissions>
<item>
<prop>d_description</prop>
<!-- Allows editing D_Description for domains defined in domain set -->
<perm>2</perm>
</item>
</domainrelatedpermissions>
</domainsadministrativepermissions>
</item>
</domainspermissions>
Example above has new tags, such <prop> and <perm>.
The variable (<prop>) indicates the variables from apiconst.pas (\install_dir\api\delphi\apiconst.pas).
Permission tag (<perm>) indicates administrator’s rights. They are separated by levels of access (read and write, read only, no rights). The tag <perm> could contain only number from set {0,1,2}:
0 – no rights;
1 – read only;
2 – full rights (read, write).
API variables in apiconst.pas file is also divided into 3 groups: variables that are related to full administrator, domain administrator and user configuration. The variables starting with the letter C_ - are related to the configuration of global permissions, e.g. server system configurations (will be described in few strings later). Starting with D_ indicates the variables, which will be applied to the domain configuration only, what was stated in <domainset>. And variables starting with U_ are related to the configuration of accounts.
Example how to hide user and domain quotas and limits, hide account aliases list, ability to add/remove copies for incoming/outgoing email address:
<domainspermissions>
<item>
<domainsset>
<item>
<mask>YOUR_domain_here</mask>
<negate>0</negate>
</item>
</domainsset>
<domainsadministrativepermissions>
<accountsrelatedpermissions>
<item>
<prop>U_MaxBox</prop> <!-- Enable mailbox size limit -->
<perm>1</perm>
</item>
<item>
<prop>U_MaxBoxSize</prop> <!-- Mailbox size limit (kB) -->
<perm>1</perm>
</item>
<item>
<prop>U_MegabyteSendLimit</prop> <!-- Send out data limit (MB/day) -->
<perm>1</perm>
</item>
<item>
<prop>U_NumberSendLimit</prop> <!-- Send out messages limit (#/day) -->
<perm>1</perm>
</item>
<item>
<prop>U_MaxMessageSize</prop> <!-- User max message size (kB) -->
<perm>1</perm>
</item>
<item>
<prop>A_Quota</prop>
<perm>0</perm> <!-- Account quota ( actual size + limit ) -->
</item>
<item>
<prop>A_AliasList</prop> <!-- List of account aliases -->
<perm>0</perm>
</item>
<item>
<prop>U_MailIn</prop> <!-- Copy incoming email address -->
<perm>0</perm>
</item>
<item>
<prop>U_MailOut</prop> <!-- Copy outgoing email address -->
<perm>0</perm>
</item>
</accountsrelatedpermissions>
<domainrelatedpermissions>
<item>
<prop>D_DiskQuota</prop> <!-- Domain disk quota (kB) -->
<perm>1</perm>
</item>
<item>
<prop>D_UserMailbox</prop> <!-- User Mailbox size (kB) -->
<perm>1</perm>
</item>
<item>
<prop>D_UserMB</prop> <!-- User send out data limit (MB/day) -->
<perm>1</perm>
</item>
<item>
<prop>D_UserNumber</prop> <!-- User send out messages limit (#/day) -->
<perm>1</perm>
</item>
<item>
<prop>D_UserMsg</prop> <!-- User max message size (kb) -->
<perm>1</perm>
</item>
</domainrelatedpermissions>
</domainsadministrativepermissions>
</item>
</domainspermissions>
<globalpermissions>
The tag <globalpermission> is used to describe global server properties. This feature is should be applied to administrator with full rights.
For example, the main administrator would like to restrict the right of another full administrator ability to change the server's language (server language is used for localization of general messages, like conference info).
<globalpermissions>
<item>
<prop>C_Date</prop>
<perm>0</perm>
</item>
<item>
<prop>C_ConfigPath</prop>
<perm>0</perm>
</item>
<item>
<prop>C_InstallPath</prop>
<perm>0</perm>
</item>
<item>
<prop>C_System_Server_language</prop>
<perm>1</perm>
</item>
<item>
<prop>C_License</prop>
<perm>0</perm>
</item>
</globalpermissions>
The above example restricts the full administrator to see the date, install path, and the server's license; as you can see in tag <perm>, the value is 0, which means no rights. The variable C_System_Server_language has permission 1 in tag <perm>, which means Read-only; this feature will be available for administrator in the API console from Web-Admin will have no access to write.
Also, there is a way how to disable all options. In case of next configuration, only the options defined in adminperm.data with permissions 1 or 2 will have different rights; all remaining will have permissions 0
<globalpermissions>
<item>
<prop>V_AllOptions</prop>
<perm>0</perm>
</item>
</globalpermissions>
Compatibility with the previous version of WebAdmin
The administration console of version 11.3 still offers the GUI to manage the domain administrator's rights. This method of managing access rights is deprecated starting with version 11.3 of IceWarp Server, and the usage of adminperm.dat is strongly recommended. The basic structure of the file domain.dat is presented here because the new WebAdmin still respects part of this file, as explained below.
Go to server administrative console – <user> – Options tab – Permissions (– Domain Administrator) – Rights button. The Domain Admin Rights dialogue opens. Select the categories the domain administrator is allowed to manage.
Clicking the Advanced button (within the Domain Admin Rights dialogue) opens the domain.dat file. The full pathname of the domain.dat file is: IceWarp/mail/{domain_name}/{domain_account}/domain.dat
This file domain.dat has three types of directives:
- A directive "RIGHTS=" is pre-filled with the choice made in the Domain Admin Rights dialogue. The explanation of the value of this directive is :
- U - User accounts / G - Group accounts / M - Mailing list accounts / O - Resource accounts / L - List server accounts /
- E - Executable accounts / R - Remote accounts / S - Static routes / N - Notification accounts / C - Catalog / V - Disable mailbox view / Q - Manage domain Quarantine
- List of domains the domain administrator is eligible to maintain (one domain per line)
- Options to allow/restrict access to certain properties by displaying/hiding these properties in the old WebAdmin interface
Out of these three directive types, only the first two types (RIGHTS and list of managed domains) are still respected by the new WebAdmin.
If a right or a domain is not specified in the file adminperm.dat (current way of managing rights), it is read from the file domain.dat (the old way of managing rights). We strongly recommend all administrators use only the file adminperm.dat.
The third type of directive (OPTION) will not affect the new WebAdmin. They are applied only in the old WebAdmin.
Comments
0 comments
Article is closed for comments.