Making a GroupWise administrator an Admin equivalent gives the GroupWise administrator all eDirectory rights required to administer GroupWise. It will also give him or her full file system rights to NetWare servers. To increase security or to support a distributed administration model, you can assign rights to your GroupWise administrators based on their administration responsibilities. For example,
The following two sections, File System Rights and eDirectory Rights, provide general information about the file system rights and eDirectory object and property rights needed to perform GroupWise administration tasks.
The final section, Common Types of GroupWise Administrators, lists some common types of GroupWise administrators (for example, Domain administrator and Post Office administrator) and the specific file system and eDirectory rights they need.
A GroupWise administrator must have an account (or security equivalence) that provides the following rights to the directories listed below:
The eDirectory object and property rights an administrator requires depend on the administrative tasks he or she needs to perform. In GroupWise administration, there are five basic tasks an administrator can perform:
The following rules apply to creating or deleting a GroupWise object (for example, domain, post office, gateway, agent, library, resource, external entity, or distribution list):
For information about giving a user rights to an object or an objects's properties or restricting a user's rights to an object or an object's properties, see Granting or Removing Object and Property Rights.
Each eDirectory object has certain properties that hold information about the object. For example, a User object includes Full Name, Given Name, Last Name, Network Address, and Title properties. The following rules apply to modifying an object's properties:
Modifications to an object can fail for the following reasons:
In general, a GroupWise administrator should have Read and Write rights to all GroupWise properties for the objects he or she needs to administer. This ensures that the administrator will be able to modify all GroupWise information for the objects. In addition, an administrator should also have Read and Write rights to other eDirectory properties used by GroupWise. For example, Full Name is an eDirectory User object property used by GroupWise. For a list of GroupWise objects, GroupWise object properties, associated eDirectory object properties, see eDirectory Object and Properties Rights.
For information about giving a user rights to modify an object's properties or restricting a user's rights to modify an object's properties, see Granting or Removing Object and Property Rights.
By default, when an administrator creates a domain or post office, the links to other domains or post offices are automatically created. Because there are many different ways you can configure your domain and post office links, you can use the Link Configuration utility to modify how domains and post offices are linked together. You can also use object and property rights to determine which administrators have the ability to modify link information. The following rules apply to modifying link information:
Because correct domain and post office links are essential to the proper functioning of your GroupWise system, you might want to assign link configuration tasks to a single administrator and restrict other administrators' abilities to modify link information. Or, if you have a multiple-domain system with multiple administrators, you could have one administrator responsible for all domain links and the other administrators responsible for the post office links for their domains. For information about giving a user rights to an object's properties (or restricting a user's rights to an object's properties), see Granting or Removing Object and Property Rights.
The system operations that a GroupWise administrator can perform in ConsoleOne are listed on the Tools > GroupWise System Operations menu.
The Select Domain, Pending Operations, and Restore Area Management operations are always available to GroupWise administrators. To perform any of the other system operations, an administrator must have Read and Write rights to the NGW: GroupWise ID property for the primary Domain object. In GroupWise systems that span multiple eDirectory trees, the administrator's current tree must be the tree in which the primary Domain object is located.
You can restrict the ability to perform system operations (other than Select Domain, Pending Operations, and Restore Area Management) to only those GroupWise administrators who connect to the primary domain database. To do so, you use the Restrict System Operations to Primary Domain option (Tools menu > GroupWise System Operations > System Preferences > Admin Lockout). Administrators connected to secondary domain databases would see the GroupWise System Operations menu with only the Select Domain, Pending Operations, and Restore Area Management options available.
For information about giving a user rights to an object's properties or restricting a user's rights to an object's properties, see Granting or Removing Object and Property Rights.
To perform maintenance operations such as validating, recovering, or rebuilding domain databases; fixing user, resource, or post office databases; or changing a user's client options, an administrator must have Read and Write rights to the NGW: GroupWise ID property for the object being modified. For example, to rebuild a domain database, an administrator requires Read and Write rights to the NGW: GroupWise ID property for the Domain object. Or, to change a user's client options, an administrator requires Read and Write rights to the NGW: GroupWise ID property for the User object.
For information about giving a user rights to an object's properties or restricting a user's rights to an object's properties, see Granting or Removing Object and Property Rights.
The following sections provide information about assigning directory, object, and property rights to some common types of GroupWise administrators:
A Domain administrator is a GroupWise administrator who has all file system and eDirectory rights needed to create and maintain a single GroupWise domain.
A Domain administrator requires the file system rights listed in the following table.
A Domain administrator requires Read and Write rights to properties for the objects listed below.
Domain object: Only the domain the administrator is responsible for unless he or she will also configure domain links. If so, the administrator also needs rights to the NGW: GroupWise ID and NGW: Link Configuration properties for the other Domain objects.
Distribution List objects: All distribution lists in the domain.
In most cases, the administrator does not need rights to all of the object properties. After reviewing the list of objects, if you want to restrict an administrator's rights to only the required properties, see eDirectory Object and Properties Rights.
In addition, the administrator must have Create and Delete rights in any container in which one of the objects listed above will be created or deleted.
For a listing of the explicit object properties to which the administrator requires rights, see eDirectory Object and Properties Rights.
A Post Office administrator is a GroupWise administrator who has all file system and eDirectory rights needed to create and maintain a single GroupWise post office.
A Post Office administrator requires the file system rights listed in the following table.
A Post Office administrator requires Read and Write rights to properties for the objects listed below.
In most cases, the administrator does not need rights to all of the object properties. After reviewing the list of objects, if you want to restrict an administrator's rights to only the required properties, see eDirectory Object and Properties Rights.
Post Office object: Only the post office that the administrator is responsible for.
Resource objects: All resources assigned to the post office.
Distribution List objects: All distribution lists assigned to the post office.
External Entity objects: All external entities with accounts on the post office.
In addition, the administrator must have Create and Delete rights in any container in which one of the objects listed above will be created or deleted.
A Link Configuration administrator has all file system and eDirectory rights needed to create and maintain the links between GroupWise domains.
A Link Configuration administrator requires the file system rights listed in the following table.