Navigation

Zimbra SkillZ: Create Zimbra Delegated Administrators

By on November 24, 2021 in Product News, Community, PowerTips – Admins, Zimbra SkillZ

Hello Zimbra Customers, Partners & Friends,

Sometimes it’s necessary to delegate administrative tasks in Zimbra. For example, letting your help desk staff do daily tasks like reset passwords, change account names, unlock accounts and create accounts can really improve your first line support. Zimbra lets you grant permissions that can be set on an account enabling/disabling features in the Administrative UI.

Here you’ll learn how to configure an account for a delegated administrator.

Setting It Up

First, decide what access rights to grant delegated administrators. It’s best to do this via a script in a test environment.

Here’s an example to get you started. Create a new empty script using your favorite editor and create /usr/local/sbin/delegate-admin with the following content:

#!/bin/bash

# Domain of concern to be changed
DOMAIN='example.com'

WHO=`whoami`
if [ $WHO != "zimbra" ]
then
  echo
  echo "Execute this scipt as user zimbra (\"su - zimbra\")"
  echo
  exit 1
fi

echo
echo
echo "Zimbra Delegate Admin control"
echo "*************************************************"
echo "Utility to grant/revoke delegated administrators"
echo
echo "Please choose R for revoke or G for grant (RG) or any other key to abort."
read -p "RG: " rg

if [ "$rg" == 'R' ]
then
   echo "Please enter the user name (example: user@example.com) you wish to revoke delegated domain admin rights from."
   read -p "username: " username

zmprov ma $username zimbraIsDelegatedAdminAccount FALSE


elif [ "$rg" == 'G' ]
then
   echo "Please enter the user name (example: user@example.com) you wish to grant delegated domain admin rights."
   read -p "username: " username

zmprov ma $username zimbraIsDelegatedAdminAccount TRUE
zmprov ma $username +zimbraAdminConsoleUIComponents accountListView
zmprov ma $username +zimbraAdminConsoleUIComponents DLListView
zmprov grr domain $DOMAIN usr $username +listAccount
zmprov grr domain $DOMAIN usr $username listDomain
zmprov grr domain $DOMAIN usr $username set.account.zimbraAccountStatus
zmprov grr domain $DOMAIN usr $username set.account.sn
zmprov grr domain $DOMAIN usr $username set.account.displayName
zmprov grr domain $DOMAIN usr $username +addDistributionListMember
zmprov grr domain $DOMAIN usr $username +getDistributionListMembership
zmprov grr domain $DOMAIN usr $username +getDistributionList
zmprov grr domain $DOMAIN usr $username +listDistributionList
zmprov grr domain $DOMAIN usr $username +removeDistributionListMember
zmprov grr domain $DOMAIN usr $username domainAdminRights
zmprov grr domain $DOMAIN usr $username domainAdminConsoleRights
zmprov grr domain $DOMAIN usr $username adminConsoleAliasRights
zmprov grr domain $DOMAIN usr $username modifyAccount
zmprov grr domain $DOMAIN usr $username countAlias
zmprov grr domain $DOMAIN usr $username -configureAdminUI
zmprov grr domain $DOMAIN usr $username -get.account.zimbraAdminConsoleUIComponents
zmprov grr domain $DOMAIN usr $username -get.dl.zimbraAdminConsoleUIComponents
zmprov grr domain $DOMAIN usr $username -set.account.zimbraIsDelegatedAdminAccount
zmprov grr domain $DOMAIN usr $username -set.dl.zimbraIsAdminGroup



else
   echo "Invalid option, abort"
   exit 0
fi

exit 0

Change DOMAIN='example.com' to your domain and make the script executable by using:

chmod +x /usr/local/sbin/delegate-admin

Then start using the script as user zimbra:

sudo su zimbra -
/usr/local/sbin/delegate-admin

Select G to start granting access rights and enter the full account name you want to use for the delegated administrator.

Log in using the account on the Admin UI and verify the correct access permissions have been assigned. This script gives permission to do all operations on accounts, distribution lists, etc. but nothing else. A delegated administrator cannot change Global Administrator accounts. In Zimbra, a Global Administrator account has all rights and views in the Admin UI.

Example of Admin UI with reduced feature set

List Available Accounts

List available accounts

Change all account properties and features

Further Reading

All available rights can be found at:

The available admin views can be found at:

Other Resources

Thanks,
Your Zimbra Team

, , , , ,

2 Responses to Zimbra SkillZ: Create Zimbra Delegated Administrators

  1. Rony November 26, 2021 at 11:08 AM #

    Hi Barry,

    Does this script give more rights than just ticking the box in Account Setup?

    Global Administrator (ON)
    for the account we choose.

    • Avatar photo
      Barry de Graaff November 29, 2021 at 12:57 AM #

      If you check `Global Administrator` all access rights are granted to the account. A delegated admin created via this blog is meant to have a lot less access.

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures