Rights, Event Scope, and Managed Addresses

From GWAVA4

Jump to: navigation, search

Sensitive material may be stored in the QMS (Quarantine Management System). With this in mind, not all users should have the same rights to manage mail. Furthermore, not all users should be able to see all of the mail stored in the QMS.

To achieve these goals, the QMS can be configured to provide a very different experience for individual users or groups.

Broadly speaking, there are two types of users with QMS accounts, those with administrative rights and those without.

Users with administrative rights:

  • Can see,search,and perform functions on all mail stored in the QMS, regardless of who it is addressed to.
  • Can perform any function of the QMS, including releasing, forwarding, deleting, blacklisting, whitelisting, etc.
  • Are not restricted in any way regarding the events which fired.

Users without administrative rights:

  • Can only see, search, and perform functions on messages that the user "owns".
  • Can only perform functions that they have been explicitly granted rights to do.
  • Can only release items within their defined event scope. Releases only go to their addresses.
[edit]

Managed Addresses

To prevent users from violating privacy or policy rules, users normally can only see, search, and perform functions on messages that are "owned" by the user.

Regular users can only see mail that was addressed to one of their "Managed Addresses". These include:

  • their Primary e-mail address - the address used to initially create and to access their account. Only one Primary e-mail address exists for each user account. The Primary e-mail address MUST authenticate via GroupWise; this is how access is granted/denied to the QMS.
  • their secondary e-mail addresses - these are additional e-mail addresses that correspond to mail that the user "owns". When a user account is first created, the user has no secondary e-mail addresses assigned (unless they inherit some from their group membership). Administrator may add secondary addresses to users and groups without restriction. Users may also add their own secondary addresses, if and only if, they can successfully authenticate against GroupWise with them.

Most users have one and only one address - their Primary Address, which they created when they first logged into QMS. Secondary addresses exist for the purposes of convenience and consolidation. If you have multiple e-mail accounts, or have nicknames, aliases, distribution lists, etc, users will probably want to log into one single account for the purpose of managing their quarantined mail. This list is also used by the digest services to consolidate digests.


TIP: If your user is assigned to a Group, and the Group is assigned Managed Addresses by the administrator, all members of the group will gain access to the mail owned by these addresses. This is probably best used when the Group mirrors a Distribution List.
TIP: All users when newly created are assigned to the group named "default". So it's easy to set up default rights, Managed Addresses, Event Scope, etc. For example the "default" group ships with the release and delete rights granted and the spam4, spam5, RBL, SURBL events in the Event Scope.
[edit]

Rights

For non-administrative users, explicit rights need to be assigned to allow them to perform specific functions. The current right list is

  • Release - release e-mail, only with their Event Scope, only to their owned addresses, exactly as it was stored.
  • Forward - release e-mail, within any Event Scope, and being able to change the TO, FROM, SUBJECT, and comments. More powerful than Release but more open to abuse.
  • Delete - Delete e-mail that the user owns.
  • Whitelist - Currently, this is an administrative function only.
  • Blacklist - Currently, this is an administrative function only.


TIP: If your user is assigned to a Group, and the Group is assigned rights by the administrator, all members of the group will gain these rights. A user's effective rights is the SUM of their explicitly assigned rights plus those inherited by group membership.
TIP: All users when newly created are assigned to the group named "default". So it's easy to set up default rights, Managed Addresses, Event Scope, etc. For example the "default" group ships with the release and delete rights granted and the spam4, spam5, RBL, SURBL events in the Event Scope.
[edit]

Event Scope

Imagine a message gets placed into the QMS. The message initially triggered both the spam and virus events. Should a user be allowed to release this message just because they have release rights?

Event Scope deals with this issue. If the user is non administrative, and tries to release the message, then if the message is not in their "Event Scope", it will not be released. All events must be in the event scope.

Event Scope consists of nothing more than the administrator initially checking off which events messages should be releasable for.

TIP: If your user is assigned to a Group, and the Group is assigned rights by the administrator, all members of the group will gain the group's Event Scope. A user's effective Event Scope is the SUM of their explicitly assigned Event Scope plus those inherited by group Event Scope.
TIP: All users when newly created are assigned to the group named "default". So it's easy to set up default rights, Managed Addresses, Event Scope, etc. For example the "default" group ships with the release and delete rights granted and the spam4, spam5, RBL, SURBL events in the Event Scope.
TIP: Event scope does NOT apply to the Forward function. This is one of many reasons the Forward right should be granted sparingly.
Retrieved from "http://gwavasupport.securesites.net/wiki/index.php/Rights%2C_Event_Scope%2C_and_Managed_Addresses"
Personal tools