Latest revision as of 11:31, 12 January 2009

TB -> TB/TB-2008-10-DA

Delegated Administration

Delegated Administration allows you to delegate certain administrative tasks to specific users using SAC. This enables you to:

• better scale your administrative team by giving you an effective way to add more people to it
• increase overall security and stability of your installation by not allowing every Administrator to edit every detail of your installation
• decrease your reaction time by allowing local administrators to perform certain tasks, e.g. create and delete local users

In hosted scenarios it will allow hosting providers to enable their customers to administer themselves. This will free up the provider from day to day management tasks, and again reduce reaction time for the client company as it does not need to wait for the providers support team but can perform the tasks themselves.

Supported Scenarios

Delegated Administration is supported in the following scenarios:

Small Business Edition 

Single server installation

Enterprise Edition 

Single and Multiple server setups. The latter need a working dirsync/routing configuration between the participating machines and a centralized SAC server.

Hosting Edition 

Single server installation

Please refer to the section Custom Installation in the Installation Guide on how to setup a multiserver environment.

Types of Administrators

The following table gives an overview of the available types of administrators:

Super Administrator

A Super Administrator can use all features provided by SAC.

Server Administrator

A Server Administrator can add, delete or alter Users, Groups and Resources on the mailnode they are created on.

Available Admin Groups

There are four pre-defined Admin Groups available:

ScalixAdmins

Any user part of this group can use all features provided by SAC.

ScalixGroupAdmins

A user who is part of this group is allowed to create, alter and delete Groups.

ScalixUserAdmins

Members of this group can create, alter and delete Users.

ScalixUserAttributeAdmins

Membership in this group enables users to edit information on the Contact Info tab for all other users.

Role constrained Super Administrator

A role constrained Super Administrator has access to SAC features based on the groups they are a member of and are allowed to work on the whole system.

Role constrained Server Administrator

A role constrained Server Administrator is also limited in the features they may use, additionally they can only make changes to the mail node they are created on.

Who can use SAC

All users which have either the above described Server or Super Administrator Privileges or are part of one of the above listed Administrative groups can login to SAC and perform administrative tasks based on their defined privileges.

Examples

Prerequisites

To be able to create Server Administrator you will need to create at least one additional mailnode besides the primary mailnode.

Testing

After creating the users as described in the following sections you need to login to SAC as the newly created user to see and test the various degrees of delegated administration.

Enable Delegated Administration

To enable the Delegated Administration super switch access Settings > Administration > General via SAC:

• Activate the checkbox next to "Check to enable delegated administration"
• Click Save Changes

Creating a Super Administrator

To create a Super Administrator you need to enable the full admin rights for a user created on the primary mail node. Using SAC follow these steps:

• Access Users
• Click on Create User(s)
• Enter the following information in the new dialog:
  • Last Name: superadmin
  • Mailnode: Select the primary mail node
  • Password: Assign a password
  • Click on Finish
• Select the newly created superadmin user in the userlist, and go to the Advanced tab
• Select "Is full administrator"
• Click on Save Changes

Create a Server Administrator

To create a Server Administrator you need to enable the full admin rights for a user created on a Non-Primary mail node. Using SAC follow these steps:

• Access Users
• Click on Create User(s)
• Enter the following information in the new dialog:
  • Last Name: acme
  • Mailnode: Select the ACME mail node
  • Authentication ID: acme@acme.com
  • Password: Assign a password
  • Click on Finish
• Select the newly created acme user in the userlist, and go to the Advanced tab
• Select "Is full administrator"
• Click on Save Changes

Create a role-constrained Super Administrator

To create a role-constrained Super Administrator you need to enable the full admin rights for a user created on a primary mail node. Using SAC follow these steps:

• Access Users
• Click on Create User(s)
• Enter the following information in the new dialog:
  • First Name: Group
  • Last Name: Admin
  • Mailnode: Select the primary mail node
  • Password: Assign a password
• Click on Next twice
• In the Group Membership tab, select ScalixGroupAdmins
• Click on Finish

Create a role-constrained Server Administrator

To create a Server Administrator you need to enable the full admin rights for a user created on a Non-Primary mail node. Using SAC follow these steps:

• Access Users
• Click on Create User(s)
• Enter the following information in the new dialog:
  • First Name: bcme
  • Last Name: users
  • Mailnode: Select the BCME mail node
  • Authentication ID: bcme.users@bcme.com
  • Password: Assign a password
• Click on Next twice
• In the Group Membership tab, select ScalixUserAdmins
• Click on Finish