Featured Post

How the Sumatra Double-Booking cmdlet works

Free license through 2017 if you qualify and contact us . First: you can always get help at the PowerShell prompt with: get-help Get-suDo...

Thursday, June 05, 2008

Oracle Calendar Designates and Zimbra Sharing Roles

We got asked about moving Designate rights from Oracle Calendar Server into Zimbra, and came up with a simple solution that in our spirit of full-disclosure we figured we'd document.


Let's begin with the end in mind.



Zimbra has three Roles for sharing: None, Viewer, and Manager.

In sharing you can grant Read, or you can grant Read and Write, or you don't grant anything at all.

Oracle Calendar has many more and finer-grained options.

Let's look at one of our test OCS users Jerry Garcia.

His Designate John Lennon has options on both Reading (Viewing) and Writing (Designate) calendar items, also cross-referenceed against the security level of individual items (and keep in mind both Outlook and Zimbra have only two levels of security to individual items: Public and Private).

Walter Liberace has no Designate rights granted by Jerry Garcia,




but Walter Liberace does have Viewing rights.

Jimmy Page has full Designate rights.

So how on earth do you take something with a matrix of possibilities and distill it down to fit into a paradigm with two?

If you ran this command in OCS:

uniaccessrights -ls -grantor "S=Garcia/G=Jerry" -grantee "S=*" -n 1 -p PASSWORD >jerry_garcia.txt

You'd generate this output:

Grantee: S=Lennon/G=John/UID=John.Lennon/ID=257/NODE-ID=1Designate Right: CONFIDENTIALEVENT=VIEWTIME/CONFIDENTIALTASK=MODIFY/NORMALEVENT=MODIFY/NORMALTASK=MODIFY/PERSONALEVENT=REPLY/PERSONALTASK=MODIFY/PUBLICEVENT=NONE/PUBLICTASK=MODIFYEvent Viewing Right: CONFIDENTIAL=ALL/NORMAL=ALL/PERSONAL=ALL

Grantee: S=Liberace/G=Walter/UID=Walter.Liberace/ID=260/NODE-ID=1Event Viewing Right: CONFIDENTIAL=NONE/NORMAL=ALL/PERSONAL=TIME

Grantee: S=Page/G=Jimmy/UID=Jimmy.Page/ID=262/NODE-ID=1Designate Right: CONFIDENTIALEVENT=MODIFY/CONFIDENTIALTASK=MODIFY/NORMALEVENT=MODIFY/NORMALTASK=MODIFY/PERSONALEVENT=MODIFY/PERSONALTASK=MODIFY/PUBLICEVENT=MODIFY/PUBLICTASK=MODIFY

Grantee: EveryoneDefault Event Viewing Right: CONFIDENTIAL=ALL/NORMAL=ALL/PERSONAL=ALLDefault Task Viewing Right: CONFIDENTIAL=ALL/NORMAL=ALL/PERSONAL=ALLDefault Scheduling Right: CANBOOKME=TRUE

Remember -- our end result needs to be binary (if you're there at all you're in View Role or Manage Role), so our decision making process needs to be equally black and white.

Our two basic rules:

If you're giving an OCS user any Viewing rights at all then in Zimbra you'd at least giving them Viewer rights (not too controversial).

The next step: if you've given them Modify rights on anything in OCS then they get upped to Manager level in Zimbra.

Final step: If your users are making you set this up for them they can go in post deployment and switch them around.

How's this sound to everyone?

Stay tuned for how we implement taking this data out of OCS and putting it into something you can use in Zimbra.


No comments: