20.4 Specifying Administrator Access to the Store

Message store administrators can view and monitor user mailboxes and specify access control for the message store. Store administrators have proxy authentication privileges to any service (POP, IMAP, HTTP, or SMTP), which means they can authenticate to any service using the privileges of any user. These privileges allow store administrators to run certain utilities for managing the store. For example, using MoveUser, store administrators can move user accounts and mailboxes from one system to another.

This section discusses how to grant store privileges to the message store for your Messaging Server installation.

Other users might also have administrator privileges to the store. For example, some administrators may have these privileges.

You can perform administrator tasks as described in the following subsections:

• To Add an Administrator Entry

• To Modify an Administrator Entry

• To Delete an Administrator Entry

• 20.4.1 To Protect Mailboxes from Deletion or Renaming Except by an Administrator

To Add an Administrator Entry

1. Command Line:To add an administrator entry at the command line:

   configutil -o store.admins -v "adminlist"

   where adminlist is a space-separated list of administrator IDs. If you specify more than one administrator, you must enclose the list in quotes. In addition, the administrator must be a member of the Service Administrator Group (in the LDAP user entry: memberOf: cn=Service Administrators,ou=Groups,o=usergroup). You must restart imapd for the system to recognize the change in store.admins.

To Modify an Administrator Entry

1. Command Line. To modify an existing entry in the message store Administrator UID list at the command line:

   configutil -o store.admins -v "adminlist"

   where adminlist is a space-separated list of administrator IDs. If you specify more than one administrator, you must enclose the list in quotes. In addition, the administrator must be a member of the Service Administrator Group (in the LDAP user entry: memberOf: cn=Service Administrators,ou=Groups,o=usergroup).

   You must restart imapd for the system to recognize the change in store.admins.

To Delete an Administrator Entry

1. Command Line.To delete store administrators at the command line, you can edit the administrator list as follows:

   configutil -o store.admins -v "adminlist"

   where adminlist is a space-separated list of administrator IDs. If you specify more than one administrator, you must enclose the list in quotes. In addition, the administrator must be a member of the Service Administrator Group (in the LDAP user entry: memberOf: cn=Service Administrators,ou=Groups,o=usergroup).

   You must restart imapd for the system to recognize the change in store.admins.

20.4.1 To Protect Mailboxes from Deletion or Renaming Except by an Administrator

You may wish to protect some mailboxes from deletion or modification except by the Administrator. The following procedures describes how to do this. If someone other than an Administrator attempts to delete, modify or rename a protected mailbox, the error message mailbox is pinned is displayed.

Set the local.store.pin configutil variable. using the following format:

configutil -o local.store.pin -v "mailbox1"%"mailbox2"%"mailbox 3"

where mailbox1, mailbox2, and mailbox 3 are the mailboxes to be protected (note that spaces can be used in mailbox names), and % is the separator between each mailbox.