79.2 Assigning Rights Based on Administration Responsibilities

Making a GroupWise administrator an Admin equivalent in eDirectory gives the GroupWise administrator all eDirectory rights required to administer GroupWise. It will also give him or her full file system rights to servers that have associated objects in eDirectory. To increase security or to support a distributed administration model, you can restrict GroupWise administrators’ file system and eDirectory rights to only those required to administer GroupWise and assign rights to your GroupWise administrators based on their administration responsibilities. For example,

The following two sections, Section 79.2.1, File System Rights and Section 79.2.2, eDirectory Rights, provide general information about the file system rights and eDirectory object and property rights needed to perform GroupWise administration tasks.

The final section, Section 79.2.3, Common Types of GroupWise Administrators, lists some common types of GroupWise administrators (for example, Domain administrator and Post Office administrator) and the specific file system and eDirectory rights they need.

79.2.1 File System Rights

A GroupWise administrator must have an account (or security equivalence) that provides the following rights to the directories listed below:

Table 79-1 GroupWise Administrator Rights

Directory

NetWare Rights

Windows Permissions

Any GroupWise system directory the administrator is responsible for. This includes:

  • domain directories

  • post office directories

  • software distribution directories

  • library storage area directories

  • Read
  • Write
  • Create
  • Erase
  • Modify
  • File Scan
  • Access Control

Full Control

Any directory in which the GroupWise agents are installed.

For NetWare, the default directory is sys:\system.

For Windows, the default agent subdirectories are located under c:\Program Files\Novell\GroupWise Server.

  • Read
  • Write
  • Create
  • Erase
  • Modify
  • File Scan
  • Access Control

Full Control

For information about managing the Linux agents as a non-root user, see Running the Linux GroupWise Agents As a Non-root User in Installing GroupWise Agents in the GroupWise 8 Installation Guide.

79.2.2 eDirectory Rights

The eDirectory object and property rights an administrator requires depend on the administrative tasks he or she needs to perform. In GroupWise administration, there are five basic tasks an administrator can perform:

  • Create and delete objects (for example, domains, post offices, gateways, agents, libraries, resources, external entities, and distribution lists).

  • Modify object properties (for example, moving a GroupWise user from one post office to another or deleting a GroupWise user from a distribution list).

  • Modify link information (for example, defining whether Domain 1 links directly to Domain 3 or indirectly to Domain 3 through Domain 2).

  • Perform system operations (for example, managing software distribution directories, creating administrator-defined fields, and setting up eDirectory user synchronization).

  • Perform maintenance operations (for example, rebuilding domain and post office databases, analyzing and fixing user and message databases, and changing a user’s client options).

Creating and Deleting Objects

The following rules apply to creating or deleting a GroupWise object (for example, domain, post office, gateway, agent, library, resource, external entity, or distribution list):

  • To create a GroupWise object, the administrator must have Create object rights in the container where he or she is creating the object. To delete a GroupWise object, the administrator must have Delete object rights to the GroupWise object’s container.

  • If creating or deleting the object requires modification of a second object’s properties, the administrator must have Read and Write rights to the second object’s NGW: GroupWise ID property and all other affected properties. For example, when you create a distribution list, the list is assigned to a post office. Therefore, the administrator needs Read and Write rights to the post office object’s NGW: GroupWise ID property and NGW: Distribution List Member property.

For information about giving a user rights to an object or an objects’s properties or restricting a user’s rights to an object or an object’s properties, see Section 79.4, Granting or Removing Object and Property Rights.

Modifying Object Properties

Each eDirectory object has certain properties that hold information about the object. For example, a User object includes Full Name, Given Name, Last Name, Network Address, and Title properties. The following rules apply to modifying an object’s properties:

  • Each object has an NGW: GroupWise ID property. The administrator must always have Read and Write rights to the NGW: GroupWise ID property for the object being modified. Without rights to the NGW: GroupWise ID property, no modifications can be made to any of the object’s GroupWise properties.

  • The administrator must have Read and Write rights to the property being modified. For example, to change a user’s visibility within the GroupWise system, the administrator requires Read and Write rights to the user object’s NGW: GroupWise ID property and NGW: Visibility property.

  • If the modification affects a second object’s properties, the administrator must have Read and Write rights to the second object’s affected properties. For example, when you move a user from one post office to another, the move affects properties for 1) the User object, 2) the Post Office object from which you are moving the user (the source post office) and 3) the Post Office object to which you are moving the user (the target post office). Therefore, the administrator must have 1) Read and Write rights for the User object’s NGW: GroupWise ID property and NGW: Post Office property, 2) Read and Write rights for the source post office object’s NGW: GroupWise ID property and Members property, and 3) Read and Write rights for the target post office object’s NGW: GroupWise ID property and Members property.

Modifications to an object can fail for the following reasons:

  • The administrator does not have the appropriate rights to the object’s properties. For example, to restrict an administrator from moving a user from one post office to another, you could 1) not give the administrator Read and Write rights to the source or target post office object’s NGW: Members property or 2) not give the administrator Read and Write rights to the user object’s NGW: Post Office property.

  • The administrator, in addition to modifying properties he or she has rights to, attempts to modify a property he or she does not have rights to modify. For example, if an administrator has rights to modify a user’s mailbox ID and visibility but does not have rights to modify the mailbox expiration date, any modifications made to the mailbox ID and visibility fail if the administrator tries to modify the mailbox expiration date at the same time.

In general, a GroupWise administrator should have Read and Write rights to all GroupWise properties for the objects he or she needs to administer. This ensures that the administrator can modify all GroupWise information for the objects. In addition, an administrator should also have Read and Write rights to other eDirectory properties used by GroupWise. For example, Full Name is an eDirectory User object property used by GroupWise. For a list of GroupWise objects, GroupWise object properties, associated eDirectory object properties, see Section 79.3, eDirectory Object and Properties Rights.

For information about giving a user rights to modify an object’s properties or restricting a user’s rights to modify an object’s properties, see Section 79.4, Granting or Removing Object and Property Rights.

Modifying Link Information

By default, when an administrator creates a domain or post office, the links to other domains or post offices are automatically created. Because there are many different ways you can configure your domain and post office links, you can use the Link Configuration utility to modify how domains and post offices are linked together. You can also use object and property rights to determine which administrators have the ability to modify link information. The following rules apply to modifying link information:

  • To modify the links for post offices within a domain, the administrator must have Read and Write rights to the NGW: GroupWise ID property for the Domain object and the Post Office objects. In addition, the administrator must have Write rights to the NGW: Link Configuration property for the Domain object.

  • To modify the links between domains, the administrator must have Read and Write rights to the NGW: GroupWise ID property for each Domain object, and Write rights to the NGW: Link Configuration property for each Domain object.

Because correct domain and post office links are essential to the proper functioning of your GroupWise system, you might want to assign link configuration tasks to a single administrator and restrict other administrators’ abilities to modify link information. Or, if you have a multiple-domain system with multiple administrators, you could have one administrator responsible for all domain links and the other administrators responsible for the post office links for their domains. For information about giving a user rights to an object’s properties (or restricting a user’s rights to an object’s properties), see Section 79.4, Granting or Removing Object and Property Rights.

Performing System Operations

The system operations that a GroupWise administrator can perform in ConsoleOne are listed on the Tools > GroupWise System Operations menu.

Figure 79-1 GroupWise System Operations Submenu on the Tools Menu

The Select Domain, > Pending Operations, and Restore Area Management operations are always available to GroupWise administrators. To perform any of the other system operations, an administrator must have Read and Write rights to the NGW: GroupWise ID property for the primary Domain object. In GroupWise systems that span multiple eDirectory trees, the administrator’s current tree must be the tree in which the primary Domain object is located.

You can restrict the ability to perform system operations (other than Select Domain, Pending Operations, and Restore Area Management) to only those GroupWise administrators who connect to the primary domain database. To do so, you use the Restrict System Operations to Primary Domain option (Tools > GroupWise System Operations > System Preferences > Admin Lockout Settings). Administrators connected to secondary domain databases see the GroupWise System Operations menu with only the Select Domain, Pending Operations, and Restore Area Management options available.

Figure 79-2 GroupWise System Operations Submenu on the Tools Menu

For information about giving a user rights to an object’s properties or restricting a user’s rights to an object’s properties, see Section 79.4, Granting or Removing Object and Property Rights.

Performing Maintenance Operations

To perform maintenance operations such as validating, recovering, or rebuilding domain databases; fixing user, resource, or post office databases; or changing a user’s client options, an administrator must have Read and Write rights to the NGW: GroupWise ID property for the object being modified. For example, to rebuild a domain database, an administrator requires Read and Write rights to the NGW: GroupWise ID property for the Domain object. Or, to change a user’s client options, an administrator requires Read and Write rights to the NGW: GroupWise ID property for the User object.

For information about giving a user rights to an object’s properties or restricting a user’s rights to an object’s properties, see Section 79.4, Granting or Removing Object and Property Rights.

79.2.3 Common Types of GroupWise Administrators

The following sections provide information about assigning directory, object, and property rights to some common types of GroupWise administrators:

Domain Administrator

A Domain administrator is a GroupWise administrator who has all file system and eDirectory rights needed to create and maintain a single GroupWise domain.

File System Rights

A Domain administrator requires the file system rights listed in the following table.

Directory

NetWare Rights

Windows Permissions

sys:\public (for ConsoleOne and GroupWise Administrator snap-ins)

  • Read
  • File
  • Scan

Not applicable

Any GroupWise system directory the administrator is responsible for. This includes:

  • domain directories

  • post office directories

  • software distribution directories

  • library storage area directories

If the domain is not yet created, it is necessary to give the administrator rights to the directories where it will be created.

  • Read
  • Write
  • Create
  • Erase
  • Modify
  • File Scan
  • Access Control

Full Control

The GroupWise agent directories.

For NetWare, the default directory is sys:\system.

For Windows, the default directory is c:\Program Files\Novell\GroupWise Server\Agents.

  • Read
  • Write
  • Create
  • Erase
  • Modify
  • File Scan
  • Access Control

Full Control

eDirectory Rights

A Domain administrator requires Read and Write rights to properties for the objects listed below.

  • Domain object: Only the domain that the administrator is responsible for unless he or she will also configure domain links. If so, the administrator also needs rights to the NGW: GroupWise ID and NGW: Link Configuration properties for the other Domain objects.

  • Post Office objects: All post offices in the domain.

  • Gateway objects: All gateways in the domain.

  • User objects: All users in the domain.

  • Resource objects: All resources in the domain.

  • Distribution List objects: All distribution lists in the domain.

  • Library objects: All libraries in the domain.

  • Agent objects: All MTAs and POAs in the domain.

  • External Entity objects: All resources in the domain.

In most cases, the administrator does not need rights to all of the object properties. After reviewing the list of objects, if you want to restrict an administrator’s rights to only the required properties, see Section 79.3, eDirectory Object and Properties Rights.

In addition, the administrator must have Create and Delete rights in any container in which one of the objects listed above will be created or deleted.

For a listing of the explicit object properties to which the administrator requires rights, see Section 79.3, eDirectory Object and Properties Rights.

Post Office Administrator

A Post Office administrator is a GroupWise administrator who has all file system and eDirectory rights needed to create and maintain a single GroupWise post office.

File System Rights

A Post Office administrator requires the file system rights listed in the following table.

Directory

NetWare Rights

Windows Permissions

The domain directory

Read Write Create Erase Modify File Scan Access Control

Full Control

The following directories:

  • post office directory

  • library storage area directories for libraries assigned to the post office

Read Write Create Erase Modify File Scan Access Control

Full Control

The directory for the Post Office Agent.

For NetWare, the default directory is sys:\system.

For Windows, the default directory is c:\Program Files\Novell\GroupWise Server\Agents.

Read Write Create Erase Modify File Scan Access Control

Full Control

eDirectory Rights

A Post Office administrator requires Read and Write rights to properties for the objects listed below.

In most cases, the administrator does not need rights to all of the object properties. After reviewing the list of objects, if you want to restrict an administrator’s rights to only the required properties, see Section 79.3, eDirectory Object and Properties Rights.

  • Post Office object: Only the post office that the administrator is responsible for.

  • User objects: All users with accounts on the post office.

  • Resource objects: All resources assigned to the post office.

  • Distribution List objects: All distribution lists assigned to the post office.

  • Library objects: All libraries assigned to the post office.

  • Agent objects: Only the post office’s POA.

  • External Entity objects: All external entities with accounts on the post office.

In addition, the administrator must have Create and Delete rights in any container in which one of the objects listed above will be created or deleted.

Link Configuration Administrator

A Link Configuration administrator has all file system and eDirectory rights needed to create and maintain the links between GroupWise domains.

File System Rights

A Link Configuration administrator requires the file system rights listed in the following table.

Table 79-2 File System Rights

Directory

NetWare Rights

Windows Permissions

sys:\public (for ConsoleOne and GroupWise Administrator snap-ins)

Read File Scan

Not applicable

Domain directory

Read Write Create Erase Modify File Scan

Full Control

eDirectory Rights

A Post Office administrator requires Read and Write rights to the properties for the objects listed below.

Table 79-3 Read and Write Rights

Object

Property

Domain (all domains)

NGW: GroupWise ID NGW: Link Configuration