Can ZXadmin for a domain be prevented from adding users?
Results 1 to 8 of 8

Thread: Can ZXadmin for a domain be prevented from adding users?

  1. #1
    Active Member ZeXtras Reseller
    Join Date
    Aug 2013
    Posts
    17

    Can ZXadmin for a domain be prevented from adding users?

    We have enabled admin permissions through the ZX admin module for some domains. Edit features and Delegated auth are disabled.

    But, the module seems to also give permissions to 'Add Accounts' and we found that they added dozens of users, effectively bypassing our billing systems and creating a lot of confusion. We didn't get any notifications about the new accounts, either.

    Now, it's not clear to me if the 'Add account' function is coming from the ZX admin module or is already there in Zimbra OS. Whatever, I would like to know the following:
    • Is there a way to give an admin user the ability to just change/reset passwords and quotas without being able to add new accounts?
    • Is there a way to have a notification sent to the server admin when a new account is created on any domain?


    Thanks in advance.

  2. #2
    CTO ZeXtras Employee d0s0n's Avatar
    Join Date
    Apr 2011
    Posts
    565
    Hi zimaster,

    the "Add account" function is a default right for a junior admin, but you can limit it by configuring the domain limits.

    About the notification on adding an account, feel free to add an RFE on our bugzilla, it can be very usefull, but now this feature is not available yet (there is only a monthly report by mail).

    In any case, I suggest you take a look at the ZxAdmin guide.

    Have a nice day.
    D0s0n
    ZeXtras Website # ZeXtras Wiki # ZeXtras Store

    Head of ZeXtras System Administrators

  3. #3
    Active Member ZeXtras Reseller
    Join Date
    Aug 2013
    Posts
    17
    Quote Originally Posted by d0s0n View Post
    the "Add account" function is a default right for a junior admin, but you can limit it by configuring the domain limits.
    Hi d0s0n,

    Thanks for your response, but I think I didn't communicate clearly.

    The junior admins are already restricted to a specific domain - in fact, we are basically assigning admin permissions to a specific user in each domain. So, the accounts they add are only within that particular domain.

    However, we would like to be able to restrict even that for the reason mentioned in my original post - that is, prevent them from bypassing our billing systems as we charge per mailbox.

  4. #4
    CTO ZeXtras Employee d0s0n's Avatar
    Join Date
    Apr 2011
    Posts
    565
    But have set the "Global Account Limit" (The maximum number of accounts that can be created on this domain)?
    None admin (neither the global one) can exceed the limit...

    D0s0n
    ZeXtras Website # ZeXtras Wiki # ZeXtras Store

    Head of ZeXtras System Administrators

  5. #5
    Active Member ZeXtras Reseller
    Join Date
    Aug 2013
    Posts
    17
    Ah, thanks! I totally missed that one.

    But, here's the strange thing. Zimbra (or is it Zextras) seems to treat aliases as accounts! I used my own domain to test this and was astonished to see the number of accounts as 25 when it actually has only 6 mail boxes.

    Aliases are normal things that many users will want to create. So, how can I ever anticipate the total 'accounts' to set the domain limits? If I set it to the actual number of mailboxes, my customers won't be able to add aliases on their own. Instead, for each alias they want to create, they have to contact us and we have to ask them the exact number of aliases they want and then add those to the domain accounts limit.

    If this is how it works, I am kind of surprised that an Enterprise email system like Zimbra handles aliases and accounts in such a weird manner.

    Or, am I missing something?

    Update: Okay, I got this sorted out. Although the Zimbra admin UI shows 25 as the total number of accounts (when double-clicking the domain name), one can't really add a new account once a domain limit has been set through the ZXadmin UI. In my case, I set the limit to 7. I could still see the 'Add Account' link, but when I clicked it and tried to add a new user, I got a message saying all accounts had been used up.

    I still think the UI (Zimbra or Zextras, I am not sure) could be improved. For example, why even show the 'Add Account' link when the admin has set a global account limit and that limit has been reached?

    Anyway, many thanks d0s0n and you have helped me figure out an annoying issue that was causing us a lot of confusion.
    Last edited by zimaster; 03-09-2014 at 06:21 PM. Reason: corrections

  6. #6
    Senior Member
    Join Date
    Oct 2013
    Posts
    70
    Quote Originally Posted by zimaster View Post
    • Is there a way to give an admin user the ability to just change/reset passwords and quotas without being able to add new accounts?
    After you use ZxAdmin to delegate privs using the GUI, use zmprov on command line to grant the not createAccount privilege to the user!
    Code:
    zmprov grr domain domain.int usr zimbra1@domain.int -createAccount
    You can view the grants like this
    Code:
    zmprov gg -t domain domain.int -g usr zimbra1@domain.int
    target type  target id                            target name                    grantee type grantee id                           grantee name                   right
    ------------ ------------------------------------ ------------------------------ ------------ ------------------------------------ ------------------------------ --------------------
    domain       590ed111-89cb-4680-93a9-0be7aa9625fa domain.int                    usr          f477c0a4-c7e2-4feb-a443-4bf60cbf0043 zimbra1@domain.int            -domainAdminConsoleAccountsFeaturesTabRights
    domain       590ed111-89cb-4680-93a9-0be7aa9625fa domain.int                    usr          f477c0a4-c7e2-4feb-a443-4bf60cbf0043 zimbra1@domain.int            viewAdminSavedSearch
    domain       590ed111-89cb-4680-93a9-0be7aa9625fa domain.int                    usr          f477c0a4-c7e2-4feb-a443-4bf60cbf0043 zimbra1@domain.int            -createAccount
    domain       590ed111-89cb-4680-93a9-0be7aa9625fa domain.int                    usr          f477c0a4-c7e2-4feb-a443-4bf60cbf0043 zimbra1@domain.int            setAdminSavedSearch
    domain       590ed111-89cb-4680-93a9-0be7aa9625fa domain.int                    usr          f477c0a4-c7e2-4feb-a443-4bf60cbf0043 zimbra1@domain.int            -adminLoginAs
    domain       590ed111-89cb-4680-93a9-0be7aa9625fa domain.int                    usr          f477c0a4-c7e2-4feb-a443-4bf60cbf0043 zimbra1@domain.int            domainAdminRights
    You may need to wait a few minutes and/or logout-login, or flush the cache with "zmprov fc all" in order to see the results.

  7. #7
    ZeXtras Community Manager ZeXtras Employee Cine's Avatar
    Join Date
    Apr 2011
    Posts
    2,342
    Hello everybody!

    Thank you stsimb for the nice tip

    However, I must add that rights applied manually might be lost when editing the Delegation Settings for the account or the Domain Limits for any domain managed by that user via ZeXtras Admin, as in order to maintain a functional grant set the module can overwrite any custom setting.

    I'll open an internal RFE about adding control over the "createAccount" right (as well as some other ones) and submit it to the R&D team...

    Have a nice day,
    Cine
    the ZeXtras Team
    IT Support Team Contact Form
    Sales Team Contact Form

    ZeXtras Website
    # ZeXtras Wiki # ZeXtras Store

    Have ZeXtras Suite or ZeXtras Migration Tool been helpful to you?
    Share your experience in the Zimbra Gallery!

    ZeXtras Suite on the Zimbra Gallery
    ZeXtras Migration Tool on the Zimbra Gallery

  8. #8
    Senior Member
    Join Date
    Oct 2013
    Posts
    70
    Quote Originally Posted by Cine View Post
    I'll open an internal RFE about adding control over the "createAccount" right (as well as some other ones) and submit it to the R&D team...
    Thanks for this Cine!

    It would also be nice if a delegated admin could choose the zimbraMailHost or a new account in a multiserver installation.
    If I create a new account now as a delegated admin, you don't have this option, only a full admin can choose backend server.
    A workaround would probably be to create a different CoS for each backend server, but that would be polution of CoSs and extra work to keep them in sync..

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •