This discussion is archived
8 Replies Latest reply: Feb 25, 2011 8:54 PM by 822427 RSS

Delegated Administrator Privilege Issue

822427 Newbie
Currently Being Moderated
Hi all,

One of our customer made a complain that a domain administrator can change his user's mailbox Quota as he wish by
login to the DA interface.The version details are as follows.

DA version ------> 7.0-0.0

# ./imsimta version
Sun Java(tm) System Messaging Server 7u2-7.02 64bit (built April 16 2009)
SunOS mail 5.10 Generic_139556-08 i86pc i386 i386pc

Our customer needs to find a way to disable this feature for all domain administartors.
Appreciate any suggestion to do this for all the domain administrators in the system.

Thanks
  • 1. Re: Delegated Administrator Privilege Issue
    ben chuang - oracle Newbie
    Currently Being Moderated
    Do you know if they are talking about using "commadmin" CLI or DA Console web GUI?
  • 2. Re: Delegated Administrator Privilege Issue
    822427 Newbie
    Currently Being Moderated
    Hi,
    Thanks for replying. Its web GUI of DA.
    Is this normal in DA design with Domain quota set as the only restriction for all users in that particular domain?
    In other words is the Domain quota value the only value set in DA environment with no modification rights for domain administrators?
    Thanks,
    Regards..
  • 3. Re: Delegated Administrator Privilege Issue
    ben chuang - oracle Newbie
    Currently Being Moderated
    With the normal behavior, the answer is "no".

    You should think of the domain administrator as the super-user of the domain sub-tree, but not the domain node itself. They cannot edit the domain, but they are delegated the administration of the domain, as defined by the TLA (or SPA).

    Some of this is described in:

    http://wikis.sun.com/display/CommSuite/Delegated+Administrator+Overview#DelegatedAdministratorOverview-ACFBG

    Are you looking for uniformity or preventing abuse? Uniformity might be possible via service packages and modifying the form settings. (You might need to open a case with support delivery to get a detailed answer).

    If you are simply concerned about the Domain Admin hogging space, there is is no practical way to constrain that, because they probably could creatively use rest of the space in the domain somehow.

    Edited by: user12608836 on Feb 23, 2011 7:11 PM

    Edited by: user12608836 on Feb 24, 2011 10:18 AM
  • 4. Re: Delegated Administrator Privilege Issue
    822427 Newbie
    Currently Being Moderated
    Thank you for your reply and guidance. I actually have read that PDF before but found no solution for our problem.
    This really for preventing abuse.

    In that system the Domain quota is not set for domains. It is the nature of thier bussiness.
    The only quota value set is user level quota through the service packages defined.
    Since there is no Domain quota defined , domain admin can change the user quota as he/she wish with no limit.
    We just need to give un-modifiable user quotas that were defined in service packages without involving domain quota?

    Thanks and Best Regards,
  • 5. Re: Delegated Administrator Privilege Issue
    ben chuang - oracle Newbie
    Currently Being Moderated
    There are a number of possible solutions to restrict control of the form field:

    1- Reduce the privs of a Domain Administator, so they lose the ability save to the attribute.
    2- Change the LDAP ACLs to prevent the administrator from changing the values.
    3- Use the CoS features in the LDAP server to always override the LDAP values being available.

    If you need more detailed steps, you should create a service request.

    -Benjamin Chuang

    (CORRECTED: Originally I said "CR", which is the wrong kind of request.

    Edited by: user12608836 on Feb 25, 2011 10:59 AM
  • 6. Re: Delegated Administrator Privilege Issue
    822427 Newbie
    Currently Being Moderated
    Hi ,
    First thanks for your reply.

    -----------------------------------------------------------------------------------------------------------------
    1- Reduce the privs of a Domain Administator, so they lose the ability save to the attribute.
    2- Change the LDAP ACLs to prevent the administrator from changing the values.
    -----------------------------------------------------------------------------------------------------------------
    Before posting this I actually tried above two cases. Since there are no guides available ( except the LDAP
    admin guide with general coverage which is not specific to msg server) for this task and as this involves roles
    already defined in the LDAP mail tree by msg server installer and further these roles are nested, my experiment
    was not get sucessful. I will try to create a CR for this as you suggest.

    --------------------------------------------------------------------------------------------------------------------------------------
    3- Use the CoS features in the LDAP server to always override the LDAP values being available.
    --------------------------------------------------------------------------------------------------------------------------------------
    Appreciate if you can little explain about what you really mean by this?

    Thanks in advance.
  • 7. Re: Delegated Administrator Privilege Issue
    ben chuang - oracle Newbie
    Currently Being Moderated
    Choosing between #1 and #2, #1 should be tried first. I don't know how well number #2 would integrate, because after the LDAP server rejects the change, the error has to be passed back to DA Console. We do not support arbitrary modification of the LDAP ACIs.

    #3 is behavior that is supported by the LDAP server, but not documented in our DA instructions on how to setup a service package. There is a more information here:

    http://download.oracle.com/docs/cd/E19656-01/821-1504/6nmg10bgq/index.html#indexterm-234

    Our feature product-izes COS in the GUI. So if you go into the Service Package, and change an attribuet entry to use "override", here's the behavior:

    --> override - Indicates that the server always returns the value generated by the CoS, even when a value is stored with the entry.

    Just remember, that this affects the service package. In the context of the situation you have described, you might want to make special service packages for the domains-in-question.

    If you need more detailed steps, please open a service request and mention this forum discussion.

    -benc
  • 8. Re: Delegated Administrator Privilege Issue
    822427 Newbie
    Currently Being Moderated
    Hi Benc
    I understood what you have suggested to try.
    Ok I will open a SR to get more help.
    Thank you very much for the help and advices
    Best Regards
    ...

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points