|
Posted by Vagif Amirov, Last modified by Vagif Amirov on 18 January 2016 09:06 AM
|
|
|
A full administrator can restrict the rights of other administrators (full and domain administrators) such that they will not be able to modify certain properties. Some examples which come to mind are: type of accounts that can be managed, number of accounts which can be created by the domain administrator, daily send out limit for the users or the maximum message size. The new WebAdmin application enforces these restrictions based on the contents of the file IceWarp/mail/{domain_name}/{admin_account}/adminperm.dat This is the recommended way of managing administrators' rights starting with version 11.3 of IceWarp Server.
Domain Admin file – adminperm.dat
In the current version 11.3.0, the full administrator needs to manually edit this file as per the following syntax: This file contains serialized permissions object in XML format. This file can be used to define the access rights for full administrators and domain administrators. A full administrator should create a file adminperm.dat in the root folder of the administrator account to be managed. If the file adminperm.dat does not exist in the root folder of an administrator, a full administrator has all the rights on all the domains and all the accounts, a domain administrator has all the rights on his own domain and the accounts therein. Structure of the file adminperm.dat : It contains two tags: <domainspermissions> and <globalpermissions>. <domainspermissions> defines the permissions for domains and accounts. Each item consists of <domainsset> and<domainsadministrativepermissions>. It is now possible to define for the same administrator (full or domain) different rights for the domains he is allowed to manage. <domainsset> contains the list of domains that administrator is able to manage. Each item consists of a domain mask and a negate parameter. The mask should contain a domain name. Wildcards * and ? are accepted. The parameter <negate> when set to 1 implies that the particular domain is explicitly removed from the list of managed domains of this this administrator. Example: <domainsset> <item> <mask>*</mask> <negate>0</negate> </item> <item> <mask>icewarp*</mask> <negate>1</negate> </item> </domainsset> This example illustrates a case where the administrator (full or domain) can manage all from domains except those starting with icewarp
<domainsadministrativepermissions> indicates the permissions on the properties of the allowed domains and accounts (as defined in domainsset) Example: <domainspermissions> <item> <domainsset> <item> <mask>icewarpdemo.fr</mask> <negate>0</negate> </item> </domainsset> <domainsadministrativepermissions> <accountsrelatedpermissions> <item> <prop>a_name</prop> <!-- Disables editing of option A_Name for accounts in domains defined in domain set ( currently icewarpdemo.fr ) --> <perm>1</perm> </item> <item> <prop>a_aliaslist</prop> <!-- In future versions it will hide the option (no rights at all) --> <perm>0</perm> </item> <item> <prop>a_state</prop> <!-- Allows editing of option A_State for accounts in domains defined in domain set --> <perm>2</perm> </item> </accountsrelatedpermissions>
<domainrelatedpermissions> <item> <prop>d_description</prop> <!-- Allows editing D_Description for domains defined in domain set --> <perm>2</perm> </item> </domainrelatedpermissions> </domainsadministrativepermissions> </item> </domainspermissions>
Example bellow has new tags, such <prop> and <perm>. The variable (<prop>) indicates the variables from apiconst.pas (IceWarp\api\delphi\apiconst.pas). Notice, the example bellow has syntax, which will be suitable for IceWarp version starting from 11.3.1. Permission tag (<perm>) indicates administrator’s rights. They are separated by levels of access (read and write, read only, no rights). The tag <perm> could contain only number from set {0,1,2}: 0 – no rights; 1 – read only; 2 – full rights (read, write).
If you still did not update your IceWarp server, and current version is 11.3.0 you need to use tag <prop> in different way. For simplicity we will consider the example bellow:
<domainspermissions> <item> <domainsset> <item> <mask>icewarpdemo.fr</mask> <negate>0</negate> </item> </domainsset> <domainsadministrativepermissions> <accountsrelatedpermissions> <item> <prop>1337</prop> <!-- Disables editing of option A_Name for accounts in domains defined in domain set ( currently icewarpdemo.fr ) --> <perm>1</perm> </item> <item> <prop>1310</prop> <!-- In future versions it will hide the option (no rights at all) --> <perm>0</perm> </item> <item> <prop>1338</prop> <!-- Allows editing of option A_State for accounts in domains defined in domain set --> <perm>2</perm> </item> </accountsrelatedpermissions>
<domainrelatedpermissions> <item> <prop>0</prop> <!-- Allows editing D_Description for domains defined in domain set --> <perm>2</perm> </item> </domainrelatedpermissions> </domainsadministrativepermissions> </item> </domainspermissions>
As you can see the regular variables in <prop> has been replaced by decimal value. In file apiconst.pas (IceWarp/api/Delphi/apiconst.pas) you can find regular variables, with hexadecimal equivalence, what should be converted to decimal value, e.g. for variable a_name has hexadecimal representation $539, i.e. 1337 in decimal representation of this value. So, instead of <prop>a_name</prop> you need define this variable as <prop>1337</prop>
API variables in apiconst.pas file are also divided on 3 groups: variables that are related to full administrator, domain administrator and user configuration. The variables that are starting with letter C_ - are related to configuration of global permissions, e.g. server system configurations (will be described in few strings later). Starting with D_ indicates the variables, what will be applied to configuration of domain only, what was stated in <domainset>. And variables starting with U_ are related to configuration of accounts.
<globalpermissions>
The tag <globalpermission> is used to describe global server properties. This feature is should be applied to administrator with full rights. For example main administrator would like to restrict the right of another full administrator ability to change the language of server (server language is used for localization of general messages, like conference info).
<globalpermissions> <item> <prop>C_Date</prop> <perm>0</perm> </item> <item> <prop>C_ConfigPath</prop> <perm>0</perm> </item> <item> <prop>C_InstallPath</prop> <perm>0</perm> </item> <item> <prop>C_System_Server_language</prop> <perm>1</perm> </item> <item> <prop>C_License</prop> <perm>0</perm> </item> </globalpermissions>
For version 11.3.0 the same will look like the following: <globalpermissions> <item> <prop>4100</prop> <perm>0</perm> </item> <item> <prop>170</prop> <perm>0</perm> </item> <item> <prop>266</prop> <perm>0</perm> </item> <item> <prop>1171</prop> <perm>1</perm> </item> <item> <prop>169</prop> <perm>0</perm> </item> </globalpermissions>
The above example restrict to full administrator to see the date, install path and the license of the server, as you can see in tag <perm> the value is 0, what mean no rights. The variable C_System_Server_language has permission 1 in tag <perm>, what mean Read only, this feature will be available for administrator in API console from Web-Admin, but he will have no access to write. Also there is a way how to disable all options. In case of next configuration only the options defined in adminperm.data with permissions 1 or 2 will have different rights, all remaining will have permissions 0
<globalpermissions>
Compatibility with the previous version of WebAdmin
The old version of the WebAdmin application can still be accessed thru the following URL:
http(s)://<server>/admin/old/
Note: The full administrator can set the old WebAdmin as the default application by creating a web server rewrite rule from /admin to /admin/old
The administration console of the version 11.3 still offers the GUI to manage the domain administrator's rights. This method of managing access rights is deprecated starting with version 11.3 of IceWarp Server and the usage of adminperm.dat is strongly recommended. The basic structure of the file domain.dat is presented here because the new WebAdmin still respects part of this file as explained below. Go to server administrative console – <user> – Options tab – Permissions (– Domain Administrator) – Rights button. The Domain Admin Rights dialog opens. Select the categories the domain administrator is allowed to manage.
Clicking the Advanced button (within the Domain Admin Rights dialog) opens the domain.dat file. The full pathname of the domain.dat file is: IceWarp/mail/{domain_name}/{domain_account}/domain.dat
This file domain.dat has three types of directives:
Out of these three directive types, only the first two types (RIGHTS and list of managed domains) are still respected by the new WebAdmin. If a right or a domain is not specified in the file adminperm.dat (current way of managing rights), it is read from the file domain.dat (old way of managing rights). We strongly recommend all administrators to use only the file adminperm.dat. The third type of directive (OPTION) will have no effect in the new WebAdmin. They are applied only in the old WebAdmin |
Domain Administration Rights - adminperm.dat
Comments
0 comments
Please sign in to leave a comment.