Delegated Administration

Administration in Scalix can seem confusing at first, because administration privileges are quite flexible and can be customized to meet the needs of just about any situation. This document explains the various administration options, which include Administrative Roles and Groups. It also takes a quick look at Scalix Administration in a Hosted environment and a Multi-Server Environment.

Scalix Administrative Roles

Scalix has four administrative roles: sxadmin, Scalix Admin, Scalix Admin Groups, and Group Manager. The Scalix Admin Groups role is not a rigidly defined role but rather contains four pre-defined administrative groups which can be used individually or combined for a great deal of flexibility. The various roles and administrative groups are

• sxadmin
• Scalix Admin
• Scalix Admin Groups
  • ScalixAdmins
  • ScalixGroupAdmins
  • ScalixUserAdmins
  • ScalixUserattributesAdmins
• Group Manager

sxadmin (The "Super Administrator")

Has full access to everything, including all of the Scalix Admin Console (SAC) tabs and all of the commands from the command line interface (CLI).

Scalix Admin

In the Small Business and Enterprise Editions, the Scalix Admin has full SAC access and limited CLI access. In the Hosted Edition the privileges are slightly curtailed - the section on administration in a Hosted Environment discusses these limitations. To give a person Scalix Admin rights, in the SAC go to the Users icon, purebiotix review select the user, then click on the Advanced tab. Then check the "Is full administrator" box. To allow a Scalix Admin user CLI access, first create a unix login for the user:

# useradd -n -p <password> acme

Then associate the Scalix account with the unix login:

# ommodu -o "Acme Admin" -u acme

Now when the Acme Admin user logs in to the server as "acme" they will be able to run Scalix commands at the command line.

Scalix Administrative Groups

There are four administrative groups. A Scalix user can belong to more than one administrative group. This allows for great flexibility in delegating specific administrative rights to Scalix users.

ScalixAdmin

A member of the ScalixAdmin group can see and use the entire SAC toolbar and all related tabs, features, and options. This differs from the Scalix Admin role because a member of the ScalixAdmin group does not have CLI access. Below are screen shots of the SAC taken from an account that belongs to the ScalixAdmin group. As you can see, all icons are present in the toolbar and the ScalixAdmin group member has the ability to access all areas of the SAC. This includes access to all user and group functions plus full access to Server Info and Settings.

A member of the ScalixAdmin group as access to all toolbar icons. all tabs within each tool, and full functionality of each tab:

A member of the ScalixAdmin group can monitor, stop, and start services:

A member of the ScalixAdmins group can also view the event log:

Members of the ScalixAdmin group can also view the active users:

Members of the ScalixAdmin group can monitor the disk usage of the system:

Members of the ScalixAdmin group can also set logging levels, configure local domains, add new license keys, set password format and expiration rules, set system-wide and per-user mailbox limits, configure out-of-office settings, enable SmartCache, activate the Recovery folder, and configure User Name settings.

GroupAdmin

Members of the ScalixGroupAdmins administrative group have limited access to the Users toolbar icon and full access to the Groups toolbar icon in the SAC. They can add and remove users to any group; they do not need to be a manager of the group.

UserAdmin

A member of the ScalixUserAdmins group can only see the User icon in the toolbar. He does not have access to the "Member of" or "Manager of" tabs, so he cannot administer groups. You can, however, make a user a member of both the UserAdmin and the GroupAdmin administrative groups. A member of the UserAdmin group can create and delete users, create alias mail addresses, change a user's name, update their contact info, set limits on their account size, enable ActiveSync, or change them from Standard to Premium and vice versa.

The UserAdmin member may have a limited feature set on some of the tabs in SAC. For example, in the Advanced tab he can change the authid or grant a user full (Premium) or limited (Standard) account privileges He cannot make another user a full administrator, lock accounts, disable SWA, enable SmartCache or SIS indexing. Compare this screenshot to the screenshot of the ScalixAdmin member's Advanced tab in the Users tool earlier in this document.

UserAttributes

A person who is a member of the ScailxUserAttributes group can change passwords, change the user name, add email addresses, and update contact information. He cannot set limits on the user's account size or change their authid.

Assigning a User to an Administrative Group

You must either be sxadmin or a user on the primary mailnode with ScalixAdmin membership or Full Administrator privileges to assign a user to an Administrative Group. In the SAC, select the Users icon in the toolbar, then select the user you wish to add to an administrative group. Click the "Member of" tab and filter groups to show All groups. Then check the administrative group(s) to which this member should belong.

Group Manager

Can use the SAC to add or remove users from a group (PDL) to which they have been assigned a management role. A Group Manager differs from a member of the ScalixGroupAdmins group in that a Group Manager can only manage groups for which they've been given the Manager role. Furthermore, they cannot create new groups, only manage existing groups.

To allow a user to perform the Group Manager role, login to SAC and click the User icon in the toolbar. Select the user from the list, go to the "Manager of" tab, filter by All groups, and select which group(s) you would like the user to manage.

Administration in Hosted Edition

In the hosted edition, only the sxadmin user has access to all mailnodes. The Scalix Admins only have access to users, groups, and resources on their own mailnode. They cannot run any plugins. The Hosted Edition is well suited for a company that provides Software as a Service (SaaS) to smaller companies who have a need for email and desire to manage their own users and groups but do not want the expense of dedicated hardware and a trained staff. The SaaS provider would utilize the sxadmin account, and each hosted tenant would use a Scalix Admin account to manage their own users and groups.

The Hosted Edition is also a logical choice for organizations that include functionally separate entities, such as educational institutions. In an educational environment, each school can manage their own student and faculty accounts and groups while the overall policies such as password rules and mailbox limits are managed centrally. In this type of scenario, the sxadmin account would be utilized by the board of education, while each school would have a Scalix Admin account for administering their own mailnode.

In Hosted Edition, the Scalix Admin can list the services but not stop or start them; they cannot view the event log.

When a hosted Scalix Admin views the list of active users, they see only the users on their mailnode. Other active users are not listed. The following two screenshots were taken at the same time from the same Hosted Edition server, but from Scalix Admins logged into two different hosted nodes.

Similarly, the storage tab shows the total space available and used on the server, but only lists users on the hosted mailnode to which the Scalix Admin belongs.

Administration in a Multi-Server Environment

In a Multi-Server environment, the administrators can manage multiple servers from one SAC. Here you can see a member of the UserAdmin group preparing to filter the users by server. The sxadmin setting password rules for one of the hosts in the multi-server environment:

A member of the ScalixAdmin group can stop and start services on any server in the multi-server environment. The lists in the left hand pane can be expanded or collapsed to make management of multiple servers easier.

Administrative Activities Table

The table below lists the more common administrative activities and shows who can perform them.