Bulletin Board ACL not working in SWA and CLI

[jsauer]

Hi,
seems I become a frequent poster in this forum

Let's come to the point(s) though.

Requirements:
Wanted to create public folders one for each department.
As users have never worked with scalix or any other corporate email system, we as administrators wanted to do the job. After creation of the folder, want to change permissions and ownership so that administrators will have no access to any of the public folders created anymore. Ownership should be moved over to some staff of the respecting department.

The SAC Approach Failure:
First try was to create the public folder as sxadmin in SAC.
The following steps had been taken:

Log into webmail as sxadmin
Create public folder
Create some sub subolders
Change permission of top most folder

Scalix Administators role none
Default role none
Add special user from department: role owner

logout as sxadmin and log in as new owner of public folder
Check if it works as expected for the "owner"
Looks good
Create some items in the structure
Looks good
log out and log in as sxadmin again
check access
still there! Full access
Cross check permissions in SWA. NONE
log into shell
run omshowacl -t bulleting -l ":folder name"
Output looks correct:


User all permissions including owner
Scalix Administrators none
Default none
Local Users none

So what is the problem
check omlistbbs
get the folder with owner sxadmin
Seems to be the problem

CLI Failure:
OK checked and configure things with CLI

Code: Select all

omaddbb -s "FolderName"
omlistbbs

No owner! OK? Just ignored!


Code: Select all

omshowacl -t bulletin -l ":FolderName"

Default and Scalix Administrators have rights


Code: Select all

omaddacln -t bulletin -l ":FolderName" -n "S=First/G+Last/OU1=scalix/CN=First Last" -c +create +read +subfolder +editall +deleteall +owner +visible


Check things in SWA, looks good for new "owner"
Now remove access rights for Default and Scalix Administrators


Code: Select all

ommodacln -t bulletin -l ":FolderName" -g "Scalix Administrators" -c -create -read -subfolder -editall -deleteall -owner -visible




Code: Select all

ommodacln -t bulletin -l ":FolderName" -g "Default" -c -create -read -editownl -deleteown -visible


Check things in SWA

Can see content of folder but not create / change things as "owner"
No access to Folder Permissions
Suddenly folder disappears for "owner" no way to get it back into display even by resetting permissions for Default and Scalix Administrators with ommodacln
Log in as sxadmin (permissions fully removed though CLI)
Folder visible
Content items can be browsed and read
Try to open Folder Permissons, No access rights


You do not have the sufficient permissions to view this folders access control list




Code: Select all

ommodacln -t bulletin -l ":FolderName" -g "Scalix Administrators" -c +create +read +subfolder +editall +deleteall +owner +visible


Try to open Folder permissions
Get Error Message


A6 NO MYRIGHTS failure....


After confirming this error


You do not have the sufficient permissions to view this folders access control list


cross check with
omshowacl
All permissions set for Scalix Administrators

Does anybody have an idea how to solve this?
I checked the logs, no error reports at all.
I searched the forum already. Some people complained / wondered about the no owner if they use CLI omaddb but no solution / response from Scalix!

I get the impression that the development of SWA and CLI are not synchronized anymore. Meaning you do things with one tool and some things work, you do it with the other and some things work, but the results are not the same, sometimes incompatible and always frustrating to deal with!

System setup is still (as in my omaddu post from two days ago)
OpenSuse 10.2 base text installation
All dependent packages for Scalix and VMWare tools
fully updated
and Scalix SBE 11.3.0U1

Hope somebody can help on this one!

Regards
Joerg

PS: And I do not want to try if it works with Outlook! It is a Scalix product and not a M$ one so it shoudl work with their tools!
But maybe Scalix can provide me with an Outlook license then I might give it a try

[jsauer]

Before someone comes and say don't do it with sxadmin, I did it with SWA and an ordinary premium user account.

Create folder
Edit permission
Add new owner and assign owner role
revoke all permissions for Default and Local Users
Admins was not accepted! When I wanted to change to none just deleteall was changed into deletaown and all the other permissions stayed as they were before

No problem, CLI, revoked all permissions with CLI ommodacln for Scalix Administrators.
Voila sxadmin no access at all anymore, but still visible, meaning listed in public folders. No items shown though. Not perfect but OK

Next try with original creator. As expected after my experiences still full access

omlistbbs -> creator still owner
omshowacln -> new user "owner" has caps owner.

Conclusion: owner and owner is not the same. I guess managed in different locations and as they are not synced BUG!

No way to change the owner listed in omlistbbs

Now it's your turn, (pray) please (pray)
Joerg

[Valerion]

Removing permissions for the Administrators is a bad idea. Trust me on this. Sooner or later someone is going to want folders moved, items deleted, etc. If a company cannot trust its own netadmins, then there is something seriously wrong.

The "owner" listed in omlistbbs is the person that created the BB. Owner permissions in ommodacln means the user can reconfigure the BB using ommodbb, amongst other things. "DeleteOwn" and "ModifyOwn" means a user can modify/delete his own entries in the BB (entries created by that user), but not necessarily other user's items.

Seems it works better from SWA there than from the command line. To be honest, I prefer using Outlook for this (yeah I know what you are saying) But that's personal preference.

Also, the omaddbb manpage has the following warning:

Code: Select all

WARNINGS
       The creator of a Bulletin Board always has full access to it.  You can-
       not remove any access capabilities from the  creator  of  the  Bulletin
       Board.