Domain Admin Rights - adminperm.dat

Domain admin right dialog.

See dialog information in Default Admin Rights.

Here you can define the rights for domain administrators. The most options are self-explanatory. (The Restricted privileges option – if checked, the appropriate domain administrator has only rights to change passwords within the administered domain.)

A full administrator can restrict the rights of other administrators (server and domain) such that they will not be able to modify certain properties. Some examples which come to mind are: type of accounts that can be managed, number of accounts which can be created by the domain administrator, daily send out limit for the users or the maximum message size.

The new WebAdmin application enforces these restrictions based on the contents of the file

IceWarp/mail/{domain_name}/{admin_account}/adminperm.dat

This is the recommended way of managing administrators' rights starting with version 11.3 of IceWarp Server.

adminperm.dat File

The server administrator needs to manually edit this file as per the following syntax:

This file containing serialized permissions object in XML format. This file can be used to define the access rights for server administrators and domain administrators. A server administrator should create a file adminperm.dat in the root folder of the administrator account to be managed.

In the file adminperm.dat does not exist in the root folder of an administrator, a server administrator has all the rights on all the domains and all the accounts, a domain administrator has all the rights on his own domain and the accounts therein.

Structure of the adminperm.dat

It contains two tags: <domainspermissions> and <globalpermissions>.

<domainspermissions> defines the permissions for domains and accounts. Each item consists of <domainsset> and <domainsadministrativepermissions>. It is now possible to define for the same administrator (server or domain) different rights for the domains he is allowed to manage.

<domainsset> contains the list of domains thet administrator is able to manage. Each item consists of a domain mask and a negate parameter. The mask should contain a domain name. Wildcards * and ? are accepted. The parameter <negate> when set to 1 implies that the particular domain is explicitly removed from the listof managed domains of this administrator.

Example

This example illustrates a case where the administrator (server or domain) can manage all from domains except those starting with IceWarp.

Example

This example illustrates a case where the administrator (server or domain) can manage domain1.com and domain2.com.

Example

<domainsadministrativepermissions> indicates the permissions on the properties of the allowed domains and accounts (as defined in domainsset).

Example above has new tags, such <prop> and <perm>.

The variable (<prop>) indicates the variables from apiconst.pas (\install_dir\api\delphi\apisonst.pas).

Permission tag (<perm>) indicates administrator's rights. They are separated by levels of access (read and write, read only, no rights). The tag <perm> could contain only number from set (0,1,2):

0 - no rights

1 - read only

2 - full rights (read, write)

API variables in apiconst.pas file are also divided on 3 groups: variables that are related to server administrator, domain administrator and user configuration. The variables that are starting with letter C_ are related to configuration of global permissions, e.g. server system configurations (will be described in a few strings later). Starting with D_ indicates the variables, that will be applied to configuration of domain only, what was started in <domainsset>. And variables starting with U_ are related to configuration of accounts.

Example

How to hide user and domain quotas and limits, hide account aliases list, ability to add/remove copies for incoming/outgoing email address:

The tag <globalpermissions> is used to describe global server properties.

This file can be placed:

within the <install_dir>/config/ folder – in this case, it specifies rights and other settings for all domain administrators on the server
within the <install_dir>/mail/<domain>/<user>/ folder – in this case, it specifies rights and other settings for this specific user – domain administrator.