Can ZXadmin for a domain be prevented from adding users?

[zimaster]

We have enabled admin permissions through the ZX admin module for some domains. Edit features and Delegated auth are disabled.

But, the module seems to also give permissions to 'Add Accounts' and we found that they added dozens of users, effectively bypassing our billing systems and creating a lot of confusion. We didn't get any notifications about the new accounts, either.

Now, it's not clear to me if the 'Add account' function is coming from the ZX admin module or is already there in Zimbra OS. Whatever, I would like to know the following:

• Is there a way to give an admin user the ability to just change/reset passwords and quotas without being able to add new accounts?
• Is there a way to have a notification sent to the server admin when a new account is created on any domain?

Thanks in advance.

[d0s0n]

Hi zimaster,

the "Add account" function is a default right for a junior admin, but you can limit it by configuring the domain limits.

About the notification on adding an account, feel free to add an RFE on our bugzilla, it can be very usefull, but now this feature is not available yet (there is only a monthly report by mail).

In any case, I suggest you take a look at the ZxAdmin guide.

Have a nice day.
D0s0n

[zimaster]

the "Add account" function is a default right for a junior admin, but you can limit it by configuring the domain limits.

Hi d0s0n,

Thanks for your response, but I think I didn't communicate clearly.

The junior admins are already restricted to a specific domain - in fact, we are basically assigning admin permissions to a specific user in each domain. So, the accounts they add are only within that particular domain.

However, we would like to be able to restrict even that for the reason mentioned in my original post - that is, prevent them from bypassing our billing systems as we charge per mailbox.

[d0s0n]

But have set the "Global Account Limit" (The maximum number of accounts that can be created on this domain)?
None admin (neither the global one) can exceed the limit...

D0s0n

[zimaster]

Ah, thanks! I totally missed that one.

But, here's the strange thing. Zimbra (or is it Zextras) seems to treat aliases as accounts! I used my own domain to test this and was astonished to see the number of accounts as 25 when it actually has only 6 mail boxes.

Aliases are normal things that many users will want to create. So, how can I ever anticipate the total 'accounts' to set the domain limits? If I set it to the actual number of mailboxes, my customers won't be able to add aliases on their own. Instead, for each alias they want to create, they have to contact us and we have to ask them the exact number of aliases they want and then add those to the domain accounts limit.

If this is how it works, I am kind of surprised that an Enterprise email system like Zimbra handles aliases and accounts in such a weird manner.

Or, am I missing something?

Update: Okay, I got this sorted out. Although the Zimbra admin UI shows 25 as the total number of accounts (when double-clicking the domain name), one can't really add a new account once a domain limit has been set through the ZXadmin UI. In my case, I set the limit to 7. I could still see the 'Add Account' link, but when I clicked it and tried to add a new user, I got a message saying all accounts had been used up.

I still think the UI (Zimbra or Zextras, I am not sure) could be improved. For example, why even show the 'Add Account' link when the admin has set a global account limit and that limit has been reached?

Anyway, many thanks d0s0n and you have helped me figure out an annoying issue that was causing us a lot of confusion.

[stsimb]

• Is there a way to give an admin user the ability to just change/reset passwords and quotas without being able to add new accounts?

After you use ZxAdmin to delegate privs using the GUI, use zmprov on command line to grant the not createAccount privilege to the user!

Code:

zmprov grr domain domain.int usr zimbra1@domain.int -createAccount

You can view the grants like this

Code:

zmprov gg -t domain domain.int -g usr zimbra1@domain.int
target type  target id                            target name                    grantee type grantee id                           grantee name                   right
------------ ------------------------------------ ------------------------------ ------------ ------------------------------------ ------------------------------ --------------------
domain       590ed111-89cb-4680-93a9-0be7aa9625fa domain.int                    usr          f477c0a4-c7e2-4feb-a443-4bf60cbf0043 zimbra1@domain.int            -domainAdminConsoleAccountsFeaturesTabRights
domain       590ed111-89cb-4680-93a9-0be7aa9625fa domain.int                    usr          f477c0a4-c7e2-4feb-a443-4bf60cbf0043 zimbra1@domain.int            viewAdminSavedSearch
domain       590ed111-89cb-4680-93a9-0be7aa9625fa domain.int                    usr          f477c0a4-c7e2-4feb-a443-4bf60cbf0043 zimbra1@domain.int            -createAccount
domain       590ed111-89cb-4680-93a9-0be7aa9625fa domain.int                    usr          f477c0a4-c7e2-4feb-a443-4bf60cbf0043 zimbra1@domain.int            setAdminSavedSearch
domain       590ed111-89cb-4680-93a9-0be7aa9625fa domain.int                    usr          f477c0a4-c7e2-4feb-a443-4bf60cbf0043 zimbra1@domain.int            -adminLoginAs
domain       590ed111-89cb-4680-93a9-0be7aa9625fa domain.int                    usr          f477c0a4-c7e2-4feb-a443-4bf60cbf0043 zimbra1@domain.int            domainAdminRights

You may need to wait a few minutes and/or logout-login, or flush the cache with "zmprov fc all" in order to see the results.

[Cine]

Hello everybody!

Thank you stsimb for the nice tip

However, I must add that rights applied manually might be lost when editing the Delegation Settings for the account or the Domain Limits for any domain managed by that user via ZeXtras Admin, as in order to maintain a functional grant set the module can overwrite any custom setting.

I'll open an internal RFE about adding control over the "createAccount" right (as well as some other ones) and submit it to the R&D team...

Have a nice day,
Cine
the ZeXtras Team

[stsimb]

I'll open an internal RFE about adding control over the "createAccount" right (as well as some other ones) and submit it to the R&D team...

Thanks for this Cine!

It would also be nice if a delegated admin could choose the zimbraMailHost or a new account in a multiserver installation.
If I create a new account now as a delegated admin, you don't have this option, only a full admin can choose backend server.
A workaround would probably be to create a different CoS for each backend server, but that would be polution of CoSs and extra work to keep them in sync..