A full administrator can restrict the rights of other administrators (full and domain administrators) such that they will not be able to modify certain properties. Some examples which come to mind are: type of accounts that can be managed, number of accounts which can be created by the domain administrator, daily send out limit for the users or the maximum message size.
The new WebAdmin application enforces these restrictions based on the contents of the file IceWarp/mail/{domain_name}/{admin_account}/adminperm.dat
This is the recommended way of managing administrators' rights starting with version 11.3 of IceWarp Server.
Domain Admin file – adminperm.dat
The full administrator needs to manually edit this file as per the following syntax:
This file contains serialized permissions object in XML format. This file can be used to define the access rights for full administrators and domain administrators. A full administrator should create a file adminperm.dat in the root folder of the administrator account to be managed.
If the file adminperm.dat does not exist in the root folder of an administrator, a full administrator has all the rights on all the domains and all the accounts, a domain administrator has all the rights on his own domain and the accounts therein.
Structure of the file adminperm.dat : It contains two tags: <domainspermissions> and <globalpermissions>.
<domainspermissions> defines the permissions for domains and accounts. Each item consists of <domainsset> and <domainsadministrativepermissions>. It is now possible to define for the same administrator (full or domain) different rights for the domains he is allowed to manage.
<domainsset> contains the list of domains that administrator is able to manage. Each item consists of a domain mask and a negate parameter. The mask should contain a domain name. Wildcards * and ? are accepted. The parameter <negate> when set to 1 implies that the particular domain is explicitly removed from the list of managed domains of this this administrator.
Example:
<domainsset>
<item>
<mask>*</mask>
<negate>0</negate>
</item>
<item>
<mask>icewarp*</mask>
<negate>1</negate>
</item>
</domainsset>
This example illustrates a case where the administrator (full or domain) can manage all from domains except those starting with icewarp
Example:
<domainsset>
<item>
<mask>domain1.com</mask>
<negate>0</negate>
</item>
<item>
<mask>domain2.com</mask>
<negate>0</negate>
</item>
</domainsset>
This example illustrates a case where the administrator (full or domain) can manage domain1.com and domain2.com.
<domainsadministrativepermissions> indicates the permissions on the properties of the allowed domains and accounts (as defined in domainsset)
Example:
<domainspermissions>
<item>
<domainsset>
<item>
<mask>icewarpdemo.com</mask>
<negate>0</negate>
</item>
</domainsset>
<domainsadministrativepermissions>
<accountsrelatedpermissions>
<item>
<prop>a_name</prop>
<!-- Disables editing of option A_Name for accounts in domains defined in domain set ( currently icewarpdemo.com ) -->
<perm>1</perm>
</item>
<item>
<prop>a_aliaslist</prop>
<!-- In future versions it will hide the option (no rights at all) -->
<perm>0</perm>
</item>
<item>
<prop>a_state</prop>
<!-- Allows editing of option A_State for accounts in domains defined in domain set -->
<perm>2</perm>
</item>
</accountsrelatedpermissions>
<domainrelatedpermissions>
<item>
<prop>d_description</prop>
<!-- Allows editing D_Description for domains defined in domain set -->
<perm>2</perm>
</item>
</domainrelatedpermissions>
</domainsadministrativepermissions>
</item>
</domainspermissions>
Example above has new tags, such <prop> and <perm>.
The variable (<prop>) indicates the variables from apiconst.pas (\install_dir\api\delphi\apiconst.pas).
Permission tag (<perm>) indicates administrator’s rights. They are separated by levels of access (read and write, read only, no rights). The tag <perm> could contain only number from set {0,1,2}:
0 – no rights;
1 – read only;
2 – full rights (read, write).
API variables in apiconst.pas file are also divided on 3 groups: variables that are related to full administrator, domain administrator and user configuration. The variables that are starting with letter C_ - are related to configuration of global permissions, e.g. server system configurations (will be described in few strings later). Starting with D_ indicates the variables, what will be applied to configuration of domain only, what was stated in <domainset>. And variables starting with U_ are related to configuration of accounts.
Example how to hide user and domain quotas and limits, hide account aliases list, ability to add/remove copyes for incoming/outgoing email address:
<domainspermissions>
<item>
<domainsset>
<item>
<mask>YOUR_domain_here</mask>
<negate>0</negate>
</item>
</domainsset>
<domainsadministrativepermissions>
<accountsrelatedpermissions>
<item>
<prop>U_MaxBox</prop> <!-- Enable mailbox size limit -->
<perm>1</perm>
</item>
<item>
<prop>U_MaxBoxSize</prop> <!-- Mailbox size limit (kB) -->
<perm>1</perm>
</item>
<item>
<prop>U_MegabyteSendLimit</prop> <!-- Send out data limit (MB/day) -->
<perm>1</perm>
</item>
<item>
<prop>U_NumberSendLimit</prop> <!-- Send out messages limit (#/day) -->
<perm>1</perm>
</item>
<item>
<prop>U_MaxMessageSize</prop> <!-- User max message size (kB) -->
<perm>1</perm>
</item>
<item>
<prop>A_Quota</prop>
<perm>0</perm> <!-- Account quota ( actual size + limit ) -->
</item>
<item>
<prop>A_AliasList</prop> <!-- List of account aliases -->
<perm>0</perm>
</item>
<item>
<prop>U_MailIn</prop> <!-- Copy incoming email address -->
<perm>0</perm>
</item>
<item>
<prop>U_MailOut</prop> <!-- Copy outgoing email address -->
<perm>0</perm>
</item>
</accountsrelatedpermissions>
<domainrelatedpermissions>
<item>
<prop>D_DiskQuota</prop> <!-- Domain disk quota (kB) -->
<perm>1</perm>
</item>
<item>
<prop>D_UserMailbox</prop> <!-- User Mailbox size (kB) -->
<perm>1</perm>
</item>
<item>
<prop>D_UserMB</prop> <!-- User send out data limit (MB/day) -->
<perm>1</perm>
</item>
<item>
<prop>D_UserNumber</prop> <!-- User send out messages limit (#/day) -->
<perm>1</perm>
</item>
<item>
<prop>D_UserMsg</prop> <!-- User max message size (kb) -->
<perm>1</perm>
</item>
</domainrelatedpermissions>
</domainsadministrativepermissions>
</item>
</domainspermissions>
<globalpermissions>
The tag <globalpermission> is used to describe global server properties. This feature is should be applied to administrator with full rights.
For example main administrator would like to restrict the right of another full administrator ability to change the language of server (server language is used for localization of general messages, like conference info).
<globalpermissions>
<item>
<prop>C_Date</prop>
<perm>0</perm>
</item>
<item>
<prop>C_ConfigPath</prop>
<perm>0</perm>
</item>
<item>
<prop>C_InstallPath</prop>
<perm>0</perm>
</item>
<item>
<prop>C_System_Server_language</prop>
<perm>1</perm>
</item>
<item>
<prop>C_License</prop>
<perm>0</perm>
</item>
</globalpermissions>
The above example restrict to full administrator to see the date, install path and the license of the server, as you can see in tag <perm> the value is 0, what mean no rights. The variable C_System_Server_language has permission 1 in tag <perm>, what mean Read only, this feature will be available for administrator in API console from Web-Admin, but he will have no access to write.
Also there is a way how to disable all options. In case of next configuration only the options defined in adminperm.data with permissions 1 or 2 will have different rights, all remaining will have permissions 0
<globalpermissions>
<item>
<prop>V_AllOptions</prop>
<perm>0</perm>
</item>
</globalpermissions>
Compatibility with the previous version of WebAdmin
The administration console of the version 11.3 still offers the GUI to manage the domain administrator's rights. This method of managing access rights is deprecated starting with version 11.3 of IceWarp Server and the usage of adminperm.dat is strongly recommended. The basic structure of the file domain.dat is presented here because the new WebAdmin still respects part of this file as explained below.
Go to server administrative console – <user> – Options tab – Permissions (– Domain Administrator) – Rights button. The Domain Admin Rights dialog opens. Select the categories the domain administrator is allowed to manage.
Clicking the Advanced button (within the Domain Admin Rights dialog) opens the domain.dat file. The full pathname of the domain.dat file is: IceWarp/mail/{domain_name}/{domain_account}/domain.dat
This file domain.dat has three types of directives:
- A directive "RIGHTS=" which is pre-filled with the choice made in the Domain Admin Rights dialog. The explanation of the value of this directive is :
- U - User accounts / G - Group accounts / M - Mailing list accounts / O - Resource accounts / L - List server accounts /
- E - Executable accounts / R - Remote accounts / S - Static routes / N - Notification accounts / C - Catalog / V - Disable mailbox view / Q - Manage domain Quarantine
- List of domains the domain administrator is eligible to maintain (one domain per line)
- Options to allow/restrict access to certain properties by displaying/hiding these properties in the old WebAdmin interface
Out of these three directive types, only the first two types (RIGHTS and list of managed domains) are still respected by the new WebAdmin.
If a right or a domain is not specified in the file adminperm.dat (current way of managing rights), it is read from the file domain.dat (old way of managing rights). We strongly recommend all administrators to use only the file adminperm.dat.
The third type of directive (OPTION) will have no effect in the new WebAdmin. They are applied only in the old WebAdmin.
Comments
0 comments
Please sign in to leave a comment.