Multi-tenancy is one of the most effective models for providing IT services today. A single instance of the application, running on a single server infrastructure, but at the same time available to many users and enterprises, allows you to minimize the cost of providing IT services and achieve their maximum quality. The idea of multi-tenancy was originally incorporated into the Zimbra Collaboration Suite Open-Source Edition architecture. Thanks to this, in one installation of Zimbra OSE, you can create many mail domains, and at the same time, their users will not even guess about the existence of each other.
That is why the Zimbra Collaboration Suite Open-Source Edition is an excellent choice for groups of companies and holdings that need to provide each enterprise with mail on its own domain, but do not want to spend a lot of money for this purpose. Also, Zimbra Collaboration Suite Open-Source Edition could be suitable for SaaS providers that provide access to corporate email and collaboration tools, if not for two significant limitations: the lack of simple and understandable administrative tools for delegating administrative powers, as well as for introducing restrictions on domains in the Open-Source version of Zimbra. In other words, Zimbra OSE only has an API for implementing these functions, but there are simply no special console commands or items in the administration web console. In order to remove these restrictions, Zextras has developed a special Zextras Admin add-on, which is part of the Zextras Suite Pro extension set. Let's take a look at how Zextras Admin can turn the free Zimbra OSE into the perfect solution for a SaaS provider.
In addition to the main administrator account, Zimbra Collaboration Suite Open-Source Edition supports the creation of other administrator accounts, however, each of the created administrators will have the same full authority as the original administrator. Using the built-in function to restrict administrator rights to any one domain in Zimbra OSE via the API is extremely difficult. As a result, this becomes a serious limitation that prevents the SaaS provider from transferring domain control into the hands of the client and independently administering it. This, in turn, means that all the work of administering corporate mail, for example, creating new and deleting old mailboxes, as well as creating passwords for them, will have to be done by the SaaS provider itself. In addition to the obvious increase in the cost of providing the service, this also creates huge risks associated with information security.
The Zextras Admin extension can solve this problem, which allows you to add the function of differentiation of administrative powers to Zimbra OSE. Thanks to this extension, the system administrator can create an unlimited number of new administrators and restrict their rights as he needs. For example, he can make his assistant the administrator of some of the domains if he does not have time to independently serve requests from all clients. This will help increase the speed of response to requests from customers, provide additional information security, and improve the quality of administrators' work.
He can also make a user of one of the domains an administrator, limiting his authority to one domain, or add junior administrators who can reset the password or create a new account for users of their domains, but will not have access to the contents of employee mailboxes. Thanks to this, it is possible to achieve the creation of a self-service system, in which the enterprise will be able to independently manage the mail domain provided to it. This option is not only safe and convenient for the enterprise, but also allows the SaaS provider to significantly reduce the cost of providing services.
It is also noteworthy that all this is done with the help of several commands in the administration console. Let's see this in the example of creating an administrator for the mail.company.ru domain. In order to make the user mail.company.ru domain administrator [email protected], just enter the command zxsuite admin doAddDelegationSettings [email protected] mail.company.ru viewMail true. After that the user [email protected] will become the administrator of his domain and will be able to view the mail of other users.
In addition to creating the main administrator, let's turn one of the managers into a junior administrator using the command zxsuite admin doAddDelegationSettings [email protected] mail.company.ru viewMail false. Unlike the main administrator, the junior administrator will not be able to view the mail of employees, but will be able to perform other operations, such as creating and deleting a mailbox. This can be very useful at times when the main administrator does not have time to perform routine operations.
Zextras Admin also provides the ability to edit permissions. For example, if the main administrator goes on vacation, his duties can be temporarily performed by the manager. In order for the manager to view the mail of employees, it is enough to use the command zxsuite admin doEditDelegationSettings [email protected] mail.company.ru viewMail true, and then when the primary admin returns from vacation, the manager can be promoted back to junior admin. Users can also be deprived of administrative rights using the command zxsuite admin doRemoveDelegationSettings [email protected] mail.company.ru.
It is also important that all of the above functions are duplicated in the Zimbra administration web console. Thanks to this, enterprise domain management becomes available even to those employees who have little experience with the command line. Also, the presence of a graphical interface for these settings allows you to reduce the training time for an employee who will administer the domain.
However, the complexity of delegating administrative rights is not the only serious limitation in Zimbra OSE. In addition, the built-in ability to set limits on the number of mailboxes for domains, as well as limits on the space they occupy, is also implemented only through the API. Without such restrictions, it will be difficult for a system administrator to plan the required amount of storage drives in mail storages. Also, the absence of such restrictions means the impossibility of introducing tariff plans. The Zextras Admin extension can also remove this limitation. Thanks to the function Domain Limits, this extension allows you to limit certain domains both by the number of mailboxes and by the space occupied by mailboxes.
Let's say that an enterprise using the mail.company.ru domain has purchased a tariff at which it cannot have more than 50 mailboxes, and also take up more than 25 gigabytes of mail storage hard drive. It would be logical to limit this domain to 50 users, each of which would receive a mailbox of 512 megabytes, but in reality such limits are far from suitable for all employees of the enterprise. For example, if a simple manager has enough mailbox size of 100 megabytes, then one gigabyte may not be enough for sales staff who always conduct active correspondence. And therefore, it would be logical for the enterprise to introduce one restriction for managers, and another tariff for employees of sales and technical support departments. This can be achieved by dividing employees into groups, which in Zimbra OSE are called class service, and then set the appropriate limits for each group.
To do this, the main administrator just needs to enter the command zxsuite admin setDomainSettings mail.company.ru account_limit 50 domain_account_quota 1gb cos_limits managers:40,sales:10. Thanks to this, a limit of 50 accounts was introduced for the domain, a maximum mailbox size of 1 gigabyte, and the division of mailboxes into two different groups. After that, you can set an artificial mailbox size limit of 40 megabytes for 384 users of the "Managers" group, and leave a limit of 1 gigabyte for the "Sales" group. Thus, even when full, mailboxes on the mail.company.ru domain will not take more than 25 gigabytes.
All of the above functionality is also presented in the Zextras Suite administration web console and allows the domain administrator to make the necessary changes as quickly and conveniently as possible without spending a lot of time on training.
Also, to ensure maximum transparency of the interaction between the SaaS provider and the client, Zextras Admin keeps logs of all actions of delegated administrators, which can be viewed directly from the Zimbra OSE administrator console. Also on the first day of each month, Zextras Admin generates a monthly report on the activities of all administrators, which includes all the necessary data, including failed login attempts, as well as unsuccessful attempts to exceed the limits set for the domain.
Thus, Zextras Admin turns the Zimbra Collaboration Suite Open-Source Edition into a solution that is great for SaaS providers. With extremely low licensing costs and a self-service multi-tenant architecture, this solution can enable ISPs to lower service costs, increase their margins and, as a result, be more competitive.
For all questions related to Zextras Suite, you can contact the Representative of Zextras Ekaterina Triandafilidi by e-mail [email protected]
Source: habr.com