A full administrator can restrict the rights of other administrators (full and domain administrators) such that they will not be able to modify certain properties. Some examples which come to mind are: type of accounts that can be managed, the number of accounts that the domain administrator can create, the daily send out limit for the users or the maximum message size.
The new WebAdmin application enforces these restrictions based on the contents of the file antiperm.dat.
The antiperm.dat file can be used for the entire domain. The file location is then:
IceWarp/mail/{domain_name}/adminperm.dat
Or it can be used for an individual user account, with the location:
IceWarp/mail/{domain_name}/{admin_account}/adminperm.dat
Domain Admin file – adminperm.dat
The full administrator needs to edit this file as per the following syntax manually:
This file contains serialized permissions object in XML format. This file can be used to define the access rights for full administrators and domain administrators. A full administrator should create a file adminperm.dat in the administrator account's root folder to be managed.
If the file adminperm.dat does not exist in an administrator's root folder, a full administrator has all the rights on all the domains and all the accounts. A domain administrator has all the rights on his own domain and the accounts therein.
Structure of the file adminperm.dat : It contains two tags: <domainspermissions> and <globalpermissions>.
<domainspermissions> defines the permissions for domains and accounts. Each item consists of <domainsset> and <domainsadministrativepermissions>. It is now possible to define for the same administrator (full or domain) different rights for the domains he is allowed to manage.
<domainsset> contains the list of domains that the administrator can manage. Each item consists of a domain mask and a negate parameter. The mask should contain a domain name. Wildcards * and ? are accepted. The parameter <negate>, when set to 1, implies that the particular domain is explicitly removed from the list of managed domains of this administrator.
Example:
<domainsset>
<item>
<mask>*</mask>
<negate>0</negate>
</item>
<item>
<mask>icewarp*</mask>
<negate>1</negate>
</item>
</domainsset>
This example illustrates a case where the administrator (full or domain) can manage all domains except those starting with IceWarp.
Example:
<domainsset>
<item>
<mask>domain1.com</mask>
<negate>0</negate>
</item>
<item>
<mask>domain2.com</mask>
<negate>0</negate>
</item>
</domainsset>
This example illustrates a case where the administrator (full or domain) can manage domain1.com and domain2.com.
<domainsadministrativepermissions> indicates the permissions on the properties of the allowed domains and accounts (as defined in domainsset)
Example:
<domainspermissions>
<item>
<domainsset>
<item>
<mask>icewarpdemo.com</mask>
<negate>0</negate>
</item>
</domainsset>
<domainsadministrativepermissions>
<accountsrelatedpermissions>
<item>
<prop>a_name</prop>
<!-- Disables editing of option A_Name for accounts in domains defined in domain set ( currently icewarpdemo.com ) -->
<perm>1</perm>
</item>
<item>
<prop>a_aliaslist</prop>
<!-- In future versions it will hide the option (no rights at all) -->
<perm>0</perm>
</item>
<item>
<prop>a_state</prop>
<!-- Allows editing of option A_State for accounts in domains defined in domain set -->
<perm>2</perm>
</item>
</accountsrelatedpermissions>
<domainrelatedpermissions>
<item>
<prop>d_description</prop>
<!-- Allows editing D_Description for domains defined in domain set -->
<perm>2</perm>
</item>
</domainrelatedpermissions>
</domainsadministrativepermissions>
</item>
</domainspermissions>
Example above has new tags, such <prop> and <perm>.
The variable (<prop>) indicates the variables from apiconst.pas (\install_dir\api\delphi\apiconst.pas).
Permission tag (<perm>) indicates administrator’s rights. They are separated by levels of access (read and write, read only, no rights). The tag <perm> could contain only number from set {0,1,2}:
0 – no rights;
1 – read only;
2 – full rights (read, write).
API variables in apiconst.pas file is also divided into 3 groups: variables that are related to full administrator, domain administrator and user configuration. The variables starting with the letter C_ - are related to the configuration of global permissions, e.g. server system configurations (will be described in few strings later). Starting with D_ indicates the variables, which will be applied to the domain configuration only, what was stated in <domainset>. And variables starting with U_ are related to the configuration of accounts.
Example how to hide user and domain quotas and limits, hide account aliases list, ability to add/remove copies for incoming/outgoing email address:
<domainspermissions>
<item>
<domainsset>
<item>
<mask>YOUR_domain_here</mask>
<negate>0</negate>
</item>
</domainsset>
<domainsadministrativepermissions>
<accountsrelatedpermissions>
<item>
<prop>U_MaxBox</prop> <!-- Enable mailbox size limit -->
<perm>1</perm>
</item>
<item>
<prop>U_MaxBoxSize</prop> <!-- Mailbox size limit (kB) -->
<perm>1</perm>
</item>
<item>
<prop>U_MegabyteSendLimit</prop> <!-- Send out data limit (MB/day) -->
<perm>1</perm>
</item>
<item>
<prop>U_NumberSendLimit</prop> <!-- Send out messages limit (#/day) -->
<perm>1</perm>
</item>
<item>
<prop>U_MaxMessageSize</prop> <!-- User max message size (kB) -->
<perm>1</perm>
</item>
<item>
<prop>A_Quota</prop>
<perm>0</perm> <!-- Account quota ( actual size + limit ) -->
</item>
<item>
<prop>A_AliasList</prop> <!-- List of account aliases -->
<perm>0</perm>
</item>
<item>
<prop>U_MailIn</prop> <!-- Copy incoming email address -->
<perm>0</perm>
</item>
<item>
<prop>U_MailOut</prop> <!-- Copy outgoing email address -->
<perm>0</perm>
</item>
</accountsrelatedpermissions>
<domainrelatedpermissions>
<item>
<prop>D_DiskQuota</prop> <!-- Domain disk quota (kB) -->
<perm>1</perm>
</item>
<item>
<prop>D_UserMailbox</prop> <!-- User Mailbox size (kB) -->
<perm>1</perm>
</item>
<item>
<prop>D_UserMB</prop> <!-- User send out data limit (MB/day) -->
<perm>1</perm>
</item>
<item>
<prop>D_UserNumber</prop> <!-- User send out messages limit (#/day) -->
<perm>1</perm>
</item>
<item>
<prop>D_UserMsg</prop> <!-- User max message size (kb) -->
<perm>1</perm>
</item>
</domainrelatedpermissions>
</domainsadministrativepermissions>
</item>
</domainspermissions>
<globalpermissions>
The tag <globalpermission> is used to describe global server properties. This feature is should be applied to administrator with full rights.
For example, the main administrator would like to restrict the right of another full administrator ability to change the server's language (server language is used for localization of general messages, like conference info).
<globalpermissions>
<item>
<prop>C_Date</prop>
<perm>0</perm>
</item>
<item>
<prop>C_ConfigPath</prop>
<perm>0</perm>
</item>
<item>
<prop>C_InstallPath</prop>
<perm>0</perm>
</item>
<item>
<prop>C_System_Server_language</prop>
<perm>1</perm>
</item>
<item>
<prop>C_License</prop>
<perm>0</perm>
</item>
</globalpermissions>
The above example restricts the full administrator to see the date, install path, and the server's license; as you can see in tag <perm>, the value is 0, which means no rights. The variable C_System_Server_language has permission 1 in tag <perm>, which means Read-only; this feature will be available for administrator in the API console from Web-Admin will have no access to write.
Also, there is a way how to disable all options. In case of next configuration, only the options defined in adminperm.data with permissions 1 or 2 will have different rights; all remaining will have permissions 0
<globalpermissions>
<item>
<prop>V_AllOptions</prop>
<perm>0</perm>
</item>
</globalpermissions>
Comments
0 comments
Article is closed for comments.