----------------------------- urn:zimbraAdmin ----------------------------- ---------------------------------------------------------- Grant a right on a target to an individual or group grantee. {target-name-or-id} {grantee-name-or-id} {right} {target-type} = account | calresource | dl | domain | cos | server | xmppcomponent | zimlet | config | global {target-by} = name | id {grantee-type} = usr | grp | all | dom | gst | key | pub all: user right only dom: user right only unless the right is crossDomainAdmin gst: user right only key: user right only pub: user right only {grantee-by} = name | id {secret} : for user right only password for guest grantee or the access key for key grantee {deny} = 1 | 0(default) {canDelegate} = 1 | 0(default) {disinheritSubGroups} = 1 | 0(default) {subDomain} = 1 | 0(default) {right} = {right-name} | {inline-right} {right-name} = a system defined right name {inline-right} = {op}.{target-type}.{attr-name} {op} = set | get {attr-name} = a valid attribute name on the specified target type ---------------------------------------------------------- Revoke a right from a target that was previously granted to an individual or group grantee. {target-name-or-id} {grantee-name-or-id} {right-name} ---------------------------------------------------------- Check if a principal has the specified right on target. {target-name-or-id} {grantee-name-or-id} {right-name} [ ...+ ] {right-name}: right name must be a preset, getAttrs, or setAttrs right, it cannot be a combo right. If right is a setAttrs right, an attr/value map can be provided in , which contains the attrs/values that are attempted to be modified. If one of the values to be modified violates one of the constraint for the the attributes, the result in CheckRightResponse will be allow="0". If attr/value map is not provided, system will just check if all attributes defined by the setAttrs right are allowed, without taking into account any constraint. [ {target-name-or-id} {grantee-name-or-id} {right-name} ] A successful return means the principal specified by the is allowed for the specified right on the target object. If PERM_DENIED is thrown, it means the authed user does not have privilege to run this SOAP command(has to be an admin because this command is in admin namespace). Result of CheckRightRequest is in the allow="1|0" attribute in CheckRightResponse. in the CheckRightResponse is the grant that decisively lead to the result. e.g. if a combo right C containing renameAccount is granted to group G on domain D, and admin A is in group G, then by="name">user1@D admin@D renameAccount will return: D G C Note, is optional. If the right of interest is not granted at all, there will be no in the response. Also, will probably be hairy for rights that modify/get selective attrs, it may not be returned for those rights. TDB... e.g. by="name">user1@D admin@D configureQuota 100000 80 ---------------------------------------------------------- Returns all grants on the specified target entry, or all grants granted to the specified grantee entry. The authenticated admin must have an effective "viewGrants" (TBD) system right on the specified target/grantee. At least one of or must be specified. If both and are specified, only grants that are granted on the target to the grantee are returned. [{target-name-or-id}] [{grantee-name-or-id} all={0|1(default)}] all = whether to include grants granted to groups the specified grantee belongs to. 1: include (default) 0: do not include {target-name-or-id} {grantee-name-or-id} {right} + ---------------------------------------------------------- Returns *effective* *admin* rights the authenticated admin has on the specified target entry. Effective rights are the rights the admin is actually allowed. It is the net result of applying ACL checking rules given the target and grantee. Specifically denied rights will *not* be returned. The result can help the admin console decide on what tabs to display after a target is selected. For example, after user1 is selected, if the admin does not have right to setPassword, it should probably hide or gray out the setPassword tab. {target-name-or-id} [{grantee-name-or-id}] if is omitted, it means the account identified by the auth token. {expand-all-attrs} : whether to include all attribute names in the / elements in GetEffectiveRightsResponse if all attributes of the target are gettable/settable comma separated values of "getAttrs", "setAttrs" e.g. getAttrs - expand attrs in getAttrs in GetEffectiveRightsResponse setAttrs - expand attrs in setAttrs in GetEffectiveRightsResponse getAttrs,setAttrs - expand attrs in both getAttrs and setAttrs in GetEffectiveRightsResponse - when all="1" in setAttrs/getAttrs in GetEffectiveRightsResponse: 0: do not expand attributes 1: expand all attributes - when all is not present or is 0 in setAttrs/getAttrs in GetEffectiveRightsResponse: value of {whether-to-expand-all-attrs} does not apply. Allowed attributes are always returned in setAttrs/getAttrs in GetEffectiveRightsResponse. + [ ...+ ] [ [{min}] [{max}] [ ...+ ] ] + [ ...+ ] + : all effective system rights - getAttrs/setAttrs rights will not appear in the list because they will be expanded to a list of attributes that can be get/set, which appear in the and elements in the response. - Combo rights will not appear in the list because they will be expanded to system rights and/or a set of attributes that can be get/set. : all attrs can be set : all attrs can be get {all} : 0(default) | 1 1 - all attributes on the target entry are accessible if 1, no elements will appear under the / : inherited default value(or values if the attribute is multl-valued) e.g. bba95d7d-0b13-401f-a343-03a8f5a96f7c"/> admin@test.com ... ... ---------------------------------------------------------- Returns attributes, with defaults and constraints if any, that can be set by the authed admin when an object is created. GetCreateObjectAttrsRequest returns the equivalent of setAttrs portion of GetEffectiveRightsResponse. GetCreateObjectAttrsRequest is needed becasue GetEffectiveRightsRequest requires a target, but when we are creating a object, the target object does not exist yet. The result can help the admin console decide on what tabs/attributes to display for creating objects. [...] [...] : required if {target-type} is account/calresource/dl/domain, ignored otherwise - if {target-type} is account/calresource/dl: this is the domain in whcih the object will be in. the domain can be speciffied by id or by name - if {target-type} is domain, it is the domain name to be created. e.g. to create a subdomain named foo.bar.test.com, should pass in foo.bar.test.com. : optional if {target-type} is account/calresource, ignored otherwise if missing, default cos of the domain will be used e.g. 1 creating an account: test.com standard 1 3 2 ... e.g. 2 creating a server: IMAP4rev1 BINARY ... ---------------------------------------------------------- Get all effective *admin* rights. {grantee-name-or-id} {right-specifiers} + {right-specifiers} = - if target type is account, calresource, dl: {domained-entries-right-specifiers} - otherwise: {non-domained-entries-right-specifiers} {domained-entries-right-specifiers} = {effective-rights} [ + {effective-rights} ]+ [ + {effective-rights} ]+ {non-domained-entries-right-specifiers} = {effective-rights} [ + {effective-rights} ]+ {effective-rights} = + + + e.g. admin1@test.com ... 12h ... com_zimbra_ymemoticons com_zimbra_local ... ... ... ... ... ---------------------------------------------------------- Returns the union of the zimbraAdminConsoleUIComponents values on the specified account/dl entry and that on all admin groups the entry belongs. [...] [

...] Note: if neither account nor dl is specified, the authed admin account will be used as the perspective entry. ...+ {inherited} = 0 | 1 0: set directly on the entry 1: inherited from a group ---------------------------------------------------------- Get definition of a right. {right-name} {expand-all-attrs} : whether to include all attribute names in the elements in GetRightResponse if the right is meant for all attributes 0: default, do not include all attribute names in the elements 1: include all attribute names in the elements {right-description} [ [+] ] [ + ] {right-name}: right name {right-type}: getAttrs | setAttrs | combo | preset {target-type}: if {right-type} is: - preset: always present (exactly target type) - getAttrs/setAtrts: always present (comma-separated target types) - combo: always not present right-class: right class ADMIN: admin right USER: user right ---------------------------------------------------------- Get all system defined rights. {target-type} : target type on which a right is grantable e.g. createAccount right is only grantable on domain entries and the globalgrant entry. Don't confuse this with "whether a right is executable on a target type". e.g. the renameAccount right is "executable" on account entries, but it is "grantable" on account, distribuiton list, domain, and globalgrant entries. {expand-all-attrs} : whether to include all attribute names in the elements in GetRightResponse if the right is meant for all attributes 0: default, do not include all attribute names in the elements 1: include all attribute names in the elements {right-class} : right class ADMIN: return admin rights only USER: return user rights only ALL: return oth admin rights and user rights {right-description} [ [+] ] [ + ] + right-class: right class ADMIN: admin right USER: user right See for description of each in the response. ---------------------------------------------------------- Get constraints (zimbraConstraint) for delegated admin on global config or a cos [+] type: - if set to config, id and name is ignored will retrieve constraints on global config - if set to cos, either id or name has to be specified to identify the cos none or several attributes can be specified for which constraints are to be returned. If no attribute is specified, all constraints on the global config/cos will be returned. If there is no constraint for a requested attribute, element for the attribute will not appear in the response. [ [{min}] [{max}] [ ...+ ] +] e.g. 524288000 20971520 ---------------------------------------------------------- Modify constraint (zimbraConstraint) for delegated admin on global config or a cos [{min}] [{max}] [ ...+ ] ] If constraints for an attribute already exists, it will be replaced by the new constraints. If is an empty element, constraints for the attribute will be removed.