We have a customer with a large public folder hierarchy. They occasionally
make requests to have the public folder ACLs changed; for example: "please
give user X access to all public folders" (that's nearly 1700 folders).
Worse: "please give user Y access to all sales folders" (there are
1450
sales folders).
The problem is that there are (naturally) spaces in the folder names,
which makes command line manipulation challenging. We've ended up with
some astonishingly hacky Python scripts that enter each folder starting
with (for example) ".sales" and replacing the dovecot-acl file to try
to
fulfil the above requests. One day our script are going to get it wrong,
or requests will become more complex ("give X access all sales/CustA
folders, Y access to all sales/CustB folders, and Z access to all sales
folders). There must be a Better Way.
How do others manage divergent ACLs within large public folder hierarchies?
Thanks,
Keith
Hi Keith, i have the same Problem as you, but in a much smaller variant. Our user_db is in MySQL, so i define acl_groups in user_db and make many group-settings for all situations per public folder. But that could be hard for 1000 folders, so the user must have 1000 group memberships. Okay, some groups could be combined. I think a global public-folder management would be nice, in example via ldap or mysql (or in a file). Dovecot reads this and create mail-folders and acl files for the configuration. Greetings, Jan Phillip Greimann
Similar to Jan Phillip, we have a small setup where we give permissions to groups and then I can add or remove users from the groups fairly easily. On 4/6/2011 4:54 AM, Keith Edmunds wrote:> We have a customer with a large public folder hierarchy. They occasionally > make requests to have the public folder ACLs changed; for example: "please > give user X access to all public folders" (that's nearly 1700 folders). > Worse: "please give user Y access to all sales folders" (there are 1450 > sales folders).So on all your sales folders, you have a few groups: sales-full-access sales-read-only everything-full-access everything-read-only Your user X, you would maybe put in the "everything-full-access" group. User Y would get added to the "sales-full-access" group.> The problem is that there are (naturally) spaces in the folder names, > which makes command line manipulation challenging. We've ended up with > some astonishingly hacky Python scripts that enter each folder starting > with (for example) ".sales" and replacing the dovecot-acl file to try to > fulfil the above requests. One day our script are going to get it wrong, > or requests will become more complex ("give X access all sales/CustA > folders, Y access to all sales/CustB folders, and Z access to all sales > folders). There must be a Better Way.This part gets a little trickier, but you could still do it with groups.> > How do others manage divergent ACLs within large public folder hierarchies?Again, we have a small setup -- nothing so large as yours... so even my suggestions may not be the best for you.> > Thanks, > Keith
On Wed, 2011-04-06 at 11:54 +0100, Keith Edmunds wrote:> The problem is that there are (naturally) spaces in the folder names, > which makes command line manipulation challenging. We've ended up with > some astonishingly hacky Python scripts that enter each folder starting > with (for example) ".sales" and replacing the dovecot-acl file to try to > fulfil the above requests. One day our script are going to get it wrong, > or requests will become more complex ("give X access all sales/CustA > folders, Y access to all sales/CustB folders, and Z access to all sales > folders). There must be a Better Way.Besides the groups solutions others already mentioned, v2.0.10+ makes this easier: doveadm mailbox list -u admin at domain "sales/CustA/*" | while read mailbox; do doveadm acl set -u user at domain "$mailbox" user at domain +lrw done