zimbra_wsdl 0.0.2

data/doc/soap-right.txt

@@ -0,0 +1,806 @@
+-----------------------------
+ urn:zimbraAdmin
+-----------------------------
+
+----------------------------------------------------------
+Grant a right on a target to an individual or group grantee.
+    
+<GrantRightRequest>
+  <target type={target-type} by="{target-by}">{target-name-or-id}</target>
+  <grantee type={grantee-type} by="{grantee-by}" [secret="{secret}"]>{grantee-name-or-id}</grantee>
+  <right [deny="${deny}"] [canDelegate="${canDelegate}"] 
+         [disinheritSubGroups="${disinheritSubGroups}"] [subDomain="${subDomain}"]>
+      {right}
+  </right>
+</GrantRightRequest>    
+
+{target-type} = account | calresource | dl | domain | cos | server | xmppcomponent | zimlet | config | global 
+
+{target-by}   = name | id
+  
+{grantee-type} = usr | grp | all | dom | gst | key | pub
+                 all: user right only 
+                 dom: user right only unless the right is crossDomainAdmin
+                 gst: user right only 
+                 key: user right only 
+                 pub: user right only 
+  
+{grantee-by}   = name | id
+
+{secret} : for user right only
+           password for guest grantee or the access key for key grantee
+
+{deny} = 1 | 0(default)
+
+{canDelegate}  = 1 | 0(default)
+
+{disinheritSubGroups}  = 1 | 0(default)
+
+{subDomain} = 1 | 0(default)
+
+{right} = {right-name} | {inline-right}
+
+{right-name} = a system defined right name
+
+{inline-right} = {op}.{target-type}.{attr-name}
+
+{op} = set | get
+
+{attr-name} = a valid attribute name on the specified target type
+
+  
+  
+<GrantRightResponse/>
+
+
+----------------------------------------------------------
+Revoke a right from a target that was previously granted to 
+an individual or group grantee.
+
+ 
+<RevokeRightRequest>
+  <target type={target-type} by="{target-by}">{target-name-or-id}</target>
+  <grantee type={grantee-type} by="{grantee-by}">{grantee-name-or-id}</grantee>
+  <right [deny="${deny}"] [canDelegate="${canDelegate}"] 
+         [disinheritSubGroups="${disinheritSubGroups}"] [subDomain="${subDomain}"]>
+      {right-name}
+  </right>
+</RevokeRightRequest>    
+
+<RevokeRightResponse/>
+
+----------------------------------------------------------
+Check if a principal has the specified right on target.
+
+
+<CheckRightRequest>
+  <target type={target-type} by="{target-by}">{target-name-or-id}</target>
+  <grantee by="{grantee-by}">{grantee-name-or-id}</grantee>
+  <right>{right-name}</right>
+  [<attrs>
+     <a n="...">...</a>+
+   </attrs>]
+</CheckPermissionRequest>
+
+{right-name}: right name
+              must be a preset, getAttrs, or setAttrs right, it cannot be a combo right.
+                
+              If right is a setAttrs right, an attr/value map can be provided 
+              in <attrs>, which contains the attrs/values that are attempted to
+              be modified.   If one of the values to be modified violates one of 
+              the constraint for the the attributes, the result in CheckRightResponse
+              will be allow="0".  If attr/value map is not provided, system will just 
+              check if all attributes defined by the setAttrs right are allowed, 
+              without taking into account any constraint. 
+               
+              
+
+<CheckRightResponse allow="{1|0}">
+  [<via>
+    <target type={target-type}>{target-name-or-id}</target>
+    <grantee type={grantee-type}>{grantee-name-or-id}</grantee>
+    <right [deny="${deny}"]>{right-name}</right>
+  <via>]
+</CheckRightResponse>  
+
+    A successful return means the principal specified by the <grantee> is allowed
+    for the specified right on the target object.  
+    If PERM_DENIED is thrown, it means the authed user does not have privilege
+    to run this SOAP command(has to be an admin because this command is in admin namespace).
+    Result of CheckRightRequest is in the allow="1|0" attribute in CheckRightResponse.
+    <via> in the CheckRightResponse is the grant that decisively
+    lead to the result.  
+    
+    e.g. if a combo right C containing renameAccount is granted to group G on domain D, and
+         admin A is in group G, then
+              <CheckRightRequest>
+                 <target type="account"> by="name">user1@D</target>
+                 <grantee by="name">admin@D</grantee>
+                 <right>renameAccount</right>
+              </CheckRightRequest>
+          
+         will return:
+              <CheckRightResponse hasRight="1">
+                 <via>
+                   <target type=domain>D</target>
+                   <grantee type=grp>G</grantee>
+                   <right>C</right>
+                 </via>
+              </CheckRightResponse>
+      
+         Note, <via> is optional.  If the right of interest is not granted at all, there will be no <via>
+         in the response.     Also, <via> will probably be hairy for rights that modify/get
+         selective attrs, it may not be returned for those rights.  TDB...
+
+    e.g. 
+         <CheckRightRequest>
+             <target type="account"> by="name">user1@D</target>
+             <grantee by="name">admin@D</grantee>
+             <right>configureQuota</right>
+             <attrs>
+                 <a n="zimbraMailQuota">100000</a>
+                 <a n="zimbraQuotaWarnPercent">80</a>
+             <attrs>    
+         </CheckRightRequest>
+              
+         <CheckRightResponse hasRight="0">     
+         
+         
+----------------------------------------------------------
+Returns all grants on the specified target entry, or all grants
+granted to the specified grantee entry.
+The authenticated admin must have an effective "viewGrants" (TBD) system 
+right on the specified target/grantee.
+
+At least one of <target> or <grantee> must be specified.  
+If both <target> and <grantee> are specified, only grants that are granted 
+on the target to the grantee are returned.
+
+
+<GetGrantsRequest>
+  [<target type={target-type} by="{target-by}">{target-name-or-id}</target>]
+  [<grantee type={grantee-type} by="{grantee-by}">{grantee-name-or-id} all={0|1(default)}</grantee>]
+</GetGrantsRequest>
+
+
+all = whether to include grants granted to groups the specified grantee belongs to.
+      1: include (default)
+      0: do not include
+
+<GetGrantsResponse>
+  <grant>
+    <target type={target-type} by="{target-by}">{target-name-or-id}</target>
+    <grantee type={grantee-type} by="{grantee-by}">{grantee-name-or-id}</grantee>
+    <right [deny="${deny}"] [canDelegate="${canDelegate}"] 
+           [disinheritSubGroups="${disinheritSubGroups}"] [subDomain="${subDomain}"]>
+        {right}
+    </right>
+  </grant>+
+</GetGrantsResponse>  
+
+         
+----------------------------------------------------------
+Returns *effective* *admin* rights the authenticated admin has on the specified target entry.
+        
+Effective rights are the rights the admin is actually allowed.  It is the net result of 
+applying ACL checking rules given the target and grantee.  Specifically denied rights 
+will *not* be returned.
+        
+The result can help the admin console decide on what tabs to display after a target 
+is selected.  For example, after user1 is selected, if the admin does not have right 
+to setPassword, it should probably hide or gray out the setPassword tab.
+
+    
+<GetEffectiveRightsRequest expandAllAttrs="{expand-all-attrs}">
+  <target type={target-type} by="{target-by}">{target-name-or-id}</target>
+  [<grantee by="{grantee-by}">{grantee-name-or-id}</grantee>]
+</GetEffectiveRightsRequest>
+
+if <grantee> is omitted, it means the account identified by the auth token.
+
+{expand-all-attrs} : whether to include all attribute names in the <getAttrs>/<setAttrs> elements in 
+                     GetEffectiveRightsResponse if all attributes of the target are gettable/settable
+                     
+                     comma separated values of "getAttrs", "setAttrs"
+                     
+                     e.g. getAttrs           - expand attrs in getAttrs in GetEffectiveRightsResponse
+                          setAttrs           - expand attrs in setAttrs in GetEffectiveRightsResponse
+                          getAttrs,setAttrs  - expand attrs in both getAttrs and setAttrs in GetEffectiveRightsResponse
+                                     
+                     - when all="1" in setAttrs/getAttrs in GetEffectiveRightsResponse: 
+                           0: do not expand attributes
+                           1: expand all attributes
+                     - when all is not present or is 0 in setAttrs/getAttrs in GetEffectiveRightsResponse: 
+                           value of {whether-to-expand-all-attrs} does not apply.  Allowed attributes are always 
+                           returned in setAttrs/getAttrs in GetEffectiveRightsResponse.  
+    
+<GetEffectiveRightsResponse>    
+  <grantee id="{grantee-id}" name="{grantee-name}">
+  <target type="{target-type}" [id"{target-id}"] [name="{target-name}"]>
+      <right n="{right-name}"/>+
+      <setAttrs [all="{all}"]>
+          <a n="...">
+              [<default>
+                   <v>...</v>+
+               </default>]
+              [<constraint>
+                   [<min>{min}</min>]
+                   [<max>{max}</max>]
+                   [<values>
+                       <v>...</v>+
+                    </values>]
+               </constraint>]       
+          </a>+
+      </setAttrs>
+      <getAttrs [all="{all}"]>
+        <a n="...">
+              [<default>
+                   <v>...</v>+
+               </default>]
+          </a>+
+      </getAttrs>
+  </target>
+</GetEffectiveRightsResponse>   
+
+    <right>       : all effective system rights
+                    - getAttrs/setAttrs rights will not appear in the list because they will be 
+                      expanded to a list of attributes that can be get/set, which appear in the 
+                      <getAttrs> and <setAttrs> elements in the response.
+                    - Combo rights will not appear in the list because they will be expanded to 
+                      system rights and/or a set of attributes that can be get/set.
+    <setAttrs>    : all attrs can be set
+    <getAttrs>    : all attrs can be get
+    
+    {all} : 0(default) | 1
+            1 - all attributes on the target entry are accessible
+                if 1, no <a> elements will appear under the <setAttrs>/<getAttrs>
+                
+    <default> : inherited default value(or values if the attribute is multl-valued)
+    
+    e.g. 
+    <GetEffectiveRightsRequest>
+      <target type="account" by="id">bba95d7d-0b13-401f-a343-03a8f5a96f7c"/>
+      <grantee by="name">admin@test.com</grantee>
+    </GetEffectiveRightsRequest>
+    
+    <GetEffectiveRightsResponse>
+      <grantee name="admin@test.com</grantee" id=""/>
+      <target type="account" name="user1@test.com" id="bba95d7d-0b13-401f-a343-03a8f5a96f7c">
+        <right n="setPassword"/>
+        <right n="renameAccount"/>
+        <right n="deleteAccount"/>
+        <setAttrs>
+          <a n="zimbraMailQuota" min="100000000"/>
+          <a n="zimbraMailStatus"/>
+          <a n="zimbraFeatureMailEnabled" values="TRUE,FALSE"/>
+          ...
+        </setAttrs>
+        <getAttrs>
+          <a n="..."/>
+          <a n="..."/>
+          ...
+        </getAttrs>
+      </target>
+    </GetEffectiveRightsRequest>
+
+         
+----------------------------------------------------------
+Returns attributes, with defaults and constraints if any,  that can be set by the authed admin when an 
+object is created.
+      
+GetCreateObjectAttrsRequest returns the equivalent of setAttrs portion of GetEffectiveRightsResponse.
+GetCreateObjectAttrsRequest is needed becasue GetEffectiveRightsRequest requires a target, but when we are 
+creating a object, the target object does not exist yet.
+      
+The result can help the admin console decide on what tabs/attributes to display for creating objects.
+    
+
+<GetCreateObjectAttrsRequest>
+    <target type="{target-type}">
+    [<domain by="{domain-by}">...</domain>]
+    [<cos by="{cos-by}">...</cos>]
+</GetCreateObjectAttrsRequest>    
+
+<domain> : required if {target-type} is account/calresource/dl/domain, ignored otherwise
+           - if {target-type} is account/calresource/dl: this is the domain in whcih the object will be in.
+             the domain can be speciffied by id or by name
+           - if {target-type} is domain, it is the domain name to be created.
+             e.g. to create a subdomain named foo.bar.test.com, should pass in <domain by="name">foo.bar.test.com</domain>.
+
+          
+<cos>    : optional if {target-type} is account/calresource, ignored otherwise
+           if missing, default cos of the domain will be used
+          
+e.g. 1  creating an account:
+
+<GetCreateObjectAttrsRequest>
+  <target type="account"/>  
+  <domain by="name">test.com</domain>
+  <cos by="name">standard</cos>
+</GetCreateObjectAttrsRequest>
+
+<GetCreateObjectAttrsResponse>
+    <setAttrs>
+          <a n="zimbraMailQuota"/>
+              <constraint>
+                  <min>1</min>
+                  <max>3</max>
+              </constraint>
+              <default>
+                  <v>2</v>
+              </default>
+          <a n="zimbraMailStatus"/>
+          <a n="zimbraFeatureCalendarEnabled"/>
+          ...
+    </setAttrs>
+</GetCreateObjectAttrsResponse>
+
+
+e.g. 2 creating a server:
+
+<GetCreateObjectAttrsRequest>
+  <target type="server"/>  
+</GetCreateObjectAttrsRequest>
+
+<GetCreateObjectAttrsResponse>
+    <target type="server"/>
+    <setAttrs>
+          <a n="zimbraLmtpExposeVersionOnBanner"/>
+          <a n="zimbraXMPPServerDialbackKey"/>
+          <a n="zimbraReverseProxyImapEnabledCapability"/>
+              <constraint>
+                  <values>
+                      <v>IMAP4rev1</v>
+                      <v>BINARY</v>
+                  </values>
+              </constraint>    
+          ...
+    </setAttrs>
+</GetCreateObjectAttrsResponse>
+    
+----------------------------------------------------------
+Get all effective *admin* rights.
+
+      
+<GetAllEffectiveRightsRequest>
+  <grantee type={grantee-type} by="{grantee-by}">{grantee-name-or-id}</grantee>
+</GetAllEffectiveRightsRequest> 
+
+       
+<GetAllEffectiveRightsResponse>
+  <grantee id="{grantee-id}" name="{grantee-name}">
+  <target type="{target-type}">
+    {right-specifiers}
+  </target>+
+</GetAllEffectiveRightsResponse>  
+  
+{right-specifiers} = 
+    - if target type is account, calresource, dl: {domained-entries-right-specifiers}
+    - otherwise: {non-domained-entries-right-specifiers}
+  
+{domained-entries-right-specifiers} = 
+    <all>
+      {effective-rights}
+    </all>
+    [<inDomains>
+       <domain name="{domain-name}">+
+        {effective-rights}
+     <inDomains>]+
+    [<entries>
+       <entry name="{name}">+
+       {effective-rights}
+     </entries>]+
+     
+{non-domained-entries-right-specifiers} = 
+    <all>
+      {effective-rights}
+    </all>
+    [<entries>
+       <entry name="{name}">+
+       {effective-rights}
+     </entries>]+     
+       
+{effective-rights} = 
+    <rights>
+        <right n="..."/>+
+        <setAttrs>
+            <a n="..."/>+
+        </setAttrs>
+        <getAttrs>
+            <a n="..."/>+
+        </getAttrs>
+    </rights>
+
+    
+e.g.
+
+    <GetAllEffectiveRightsRequest xmlns="urn:zimbraAdmin">
+      <grantee type="usr" by="name">admin1@test.com</grantee>
+    </GetAllEffectiveRightsRequest>
+    
+    <GetAllEffectiveRightsResponse xmlns="urn:zimbraAdmin">
+      <grantee name="admin1@test.com" id="a13b4659-ea6a-4050-bb58-65a9559138d1"/>
+      <target type="cos">
+        <entries>
+          <entry name="cos2"/>
+          <entry name="cos1"/>
+          <rights>
+            <right n="assignCos"/>
+            <right n="listCos"/>
+            <setAttrs/>
+            <getAttrs all="1"/>
+          </rights>
+        </entries>
+        <entries>
+          <entry name="cos3"/>
+          <entry name="cos4"/>
+          <rights>
+            <right n="deleteCos"/>
+            <setAttrs all="1"/>
+          </rights>
+        </entries>
+      </target>
+      <target type="zimlet">
+        <all>
+          <right n="listZimlet"/>
+          <setAttrs/>
+          <getAttrs all="1"/>
+        </all>
+      </target>
+      <target type="account">
+        <inDomains>
+          <domain name="domain1.com"/>
+          <domain name="domain2.com"/>
+          <rights>
+            <right n="addAccountAlias"/>
+            <right n="adminLoginAs"/>
+            <setAttrs>
+              <a n="c"/>
+              ...
+              <a n="zimbraAccountCalendarUserType"/>
+              <a n="zimbraAccountStatus"/>
+              <a n="zimbraAdminAuthTokenLifetime">
+                <default>
+                  <v>12h</v>
+                </default>
+              </a>
+              <a n="zimbraAdminSavedSearches"/>
+              ...
+              <a n="zimbraZimletAvailableZimlets">
+                <default>
+                  <v>com_zimbra_ymemoticons</v>
+                  <v>com_zimbra_local</v>
+                </default>
+              </a>
+              ...
+            </setAttrs>
+            <getAttrs all="1"/>
+          </rights>
+        </inDomains>
+        <inDomains>
+          <domain name="domain3.com"/>
+          <domain name="domain4.com"/>
+          <rights>
+            <right n="renameAccount"/>
+            <right n="adminLoginAs"/>
+            <setAttrs>
+              <a n="zimbraAccountCalendarUserType"/>
+              <a n="zimbraAccountStatus"/>
+              ...
+            </setAttrs>
+            <getAttrs all="1"/>
+          </rights>
+        </inDomains>
+        <entries>
+          <entry name="user1@domain1.com"/>
+          <entry name="user2@domain1.com"/>
+          <rights>
+            <right n="renameAccount"/>
+            <setAttrs>
+              <a n="zimbraAccountStatus"/>
+              ...
+            </setAttrs>
+            <getAttrs all="1"/>
+          </rights>
+        </entries>
+        <entries>
+          <entry name="user3@domain1.com"/>
+          <entry name="user4@domain1.com"/>
+          <rights>
+            <right n="addAccountAlias"/>
+            <right n="removeAccountAlias"/>
+            <right n="setAccountPassword"/>
+            <setAttrs>
+            </setAttrs>
+            <getAttrs/>
+          </rights>
+        </entries>
+      </target>
+      <target type="calresource">
+        <inDomains>
+          <domain name="domain1.com"/>
+          <domain name="domain2.com"/>
+          <rights>
+            <right n="addCalendarResourceAlias"/>
+            <right n="deleteCalendarResource"/>
+            <right n="listCalendarResource"/>
+            <right n="purgeCalendarResourceCalendarCache"/>
+            <right n="removeCalendarResourceAlias"/>
+            <right n="renameCalendarResource"/>
+            <right n="setCalendarResourcePassword"/>
+            <setAttrs>
+              <a n="c"/>
+              ...
+            </setAttrs>
+            <getAttrs all="1"/>
+          </rights>
+        </inDomains>
+      </target>
+      <target type="xmppcomponent"/>
+      <target type="server"/>
+      <target type="config"/>
+      <target type="global"/>
+      <target type="domain">
+        <entries>
+          <entry name="domain1.com"/>
+          <entry name="domain2.com"/>
+          <rights>
+            <right n="accessGAL"/>
+            <right n="checkDomainMXRecord"/>
+            <right n="countAccount"/>
+            <right n="createAccount"/>
+            <right n="createAlias"/>
+            <right n="createCalendarResource"/>
+            <right n="createDistributionList"/>
+            <right n="deleteAlias"/>
+            <right n="listDomain"/>
+            <setAttrs>
+              <a n="description"/>
+              <a n="zimbraAdminConsoleLoginURL"/>
+              ...
+            </setAttrs>
+            <getAttrs all="1"/>
+          </rights>
+        </entries>
+      </target>
+      <target type="dl">
+        <inDomains>
+          <domain name="domain1.com"/>
+          <domain name="domain2.com"/>
+          <rights>
+            <right n="addDistributionListAlias"/>
+            <right n="addDistributionListMember"/>
+            <right n="deleteDistributionList"/>
+            <right n="getDistributionListMembership"/>
+            <right n="getDistributionListShareInfo"/>
+            <right n="listDistributionList"/>
+            <right n="publishDistributionListShareInfo"/>
+            <right n="removeDistributionListAlias"/>
+            <right n="removeDistributionListMember"/>
+            <right n="renameDistributionList"/>
+            <right n="viewDistributionListAdminUI"/>
+            <setAttrs>
+              <a n="cn"/>
+              <a n="description"/>
+              <a n="displayName"/>
+              <a n="zimbraHideInGal"/>
+              <a n="zimbraLocale"/>
+              <a n="zimbraMailCanonicalAddress"/>
+              <a n="zimbraMailForwardingAddress"/>
+              <a n="zimbraMailStatus"/>
+              <a n="zimbraNotes"/>
+            </setAttrs>
+            <getAttrs all="1"/>
+          </rights>
+        </inDomains>
+        <inDomains>
+          <domain name="domain3.com"/>
+          <rights>
+            <right n="publishDistributionListShareInfo"/>
+            <setAttrs>
+              <a n="zimbraMailCanonicalAddress"/>
+              <a n="zimbraMailForwardingAddress"/>
+              <a n="zimbraMailStatus"/>
+              <a n="zimbraNotes"/>
+            </setAttrs>
+            <getAttrs all="1"/>
+          </rights>
+        </inDomains>
+        <entries>
+          <entry name="dl1@domain1.com"/>
+          <entry name="dl2@domain1.com"/>
+          <rights>
+            <right n="addDistributionListAlias"/>
+            <right n="addDistributionListMember"/>
+            <setAttrs>
+              <a n="zimbraMailCanonicalAddress"/>
+              <a n="zimbraMailForwardingAddress"/>
+              <a n="zimbraMailStatus"/>
+              <a n="zimbraNotes"/>
+            </setAttrs>
+            <getAttrs all="1"/>
+          </rights>
+        </entries>
+        <entries>
+          <entry name="dl3@domain1.com"/>
+          <entry name="dl4@domain1.com"/>
+          <rights>
+            <setAttrs>
+              <a n="zimbraMailCanonicalAddress"/>
+              <a n="zimbraMailForwardingAddress"/>
+              <a n="zimbraMailStatus"/>
+              <a n="zimbraNotes"/>
+            </setAttrs>
+            <getAttrs all="1"/>
+          </rights>
+        </entries>
+      </target>
+    </GetAllEffectiveRightsResponse>
+
+    
+----------------------------------------------------------
+Returns the union of the zimbraAdminConsoleUIComponents values on the 
+specified account/dl entry and that on all admin groups the entry
+belongs.
+              
+                    
+<GetAdminConsoleUICompRequest>
+    [<account by="id|name">...</account>]
+    [<dl by="id|name">...</dl>]
+</GetAdminConsoleUICompRequest>
+
+Note: if neither account nor dl is specified, the authed admin account will 
+      be used as the perspective entry.  
+
+<GetAdminConsoleUICompResponse>
+  <a inherited="{inherited}">...</a>+
+</GetAdminConsoleUICompResponse>
+
+{inherited} = 0 | 1
+              0: set directly on the entry
+              1: inherited from a group
+        
+----------------------------------------------------------
+Get definition of a right.
+
+    
+<GetRightRequest [expandAllAttrs="{expand-all-attrs}"]>
+  <right>{right-name}</right>
+</GetRightRequest>
+
+{expand-all-attrs} : whether to include all attribute names in the <attrs> elements in 
+                     GetRightResponse if the right is meant for all attributes 
+                     0: default, do not include all attribute names in the <attrs> elements
+                     1: include all attribute names in the <attrs> elements
+
+<GetRightResponse>
+  <right name="{right-name}" type="{right-type}" rightClass="{right-class} [targetType="{target-type}"]>
+    <desc>{right-description}</desc>
+    [<attrs [all="1"]>
+       [<a n="{attr-name}"/>+]
+     </attrs>]
+    [<rights>
+       <r n="{right-name}" type="{right-type}" [targetType="{target-type}"]/>+
+     </rights>]
+  </right>
+</GetRightResponse>
+
+{right-name}: right name
+
+{right-type}: getAttrs | setAttrs | combo | preset
+
+{target-type}: if {right-type} is:
+               - preset: always present (exactly target type)
+               - getAttrs/setAtrts: always present (comma-separated target types)
+               - combo: always not present
+
+right-class: right class
+             ADMIN: admin right
+             USER: user right
+
+----------------------------------------------------------
+Get all system defined rights.
+
+      
+<GetAllRightsRequest [targetType="{target-type}"] [expandAllAttrs="{expand-all-attrs}"] [rightClass={right-class}]/>
+
+{target-type} : target type on which a right is grantable
+                e.g. createAccount right is only grantable on domain entries and the globalgrant 
+                     entry.
+                Don't confuse this with "whether a right is executable on a target type".
+                e.g. the renameAccount right is "executable" on account entries, but it is "grantable" 
+                     on account, distribuiton list, domain, and globalgrant entries.
+     
+{expand-all-attrs} : whether to include all attribute names in the <attrs> elements in 
+                     GetRightResponse if the right is meant for all attributes 
+                     0: default, do not include all attribute names in the <attrs> elements
+                     1: include all attribute names in the <attrs> elements
+                  
+{right-class} : right class
+                ADMIN: return admin rights only
+                USER: return user rights only
+                ALL: return oth admin rights and user rights
+
+
+                     
+<GetAllRightsResponse>
+  <right name="{right-name}" type="{right-type}" rightClass="{right-class} [targetType="{target-type}"]">
+    <desc>{right-description}</desc>
+    [<attrs all="1">
+       [<a n="{attr-name}"/>+]
+     </attrs>]
+    [<rights>
+       <r n="{right-name}"/>+
+     </rights>]
+  </right>+
+</GetAllRightsResponse>
+
+right-class: right class
+             ADMIN: admin right
+             USER: user right
+                 
+See <GetRightResponse> for description of each <right> in the response. 
+
+----------------------------------------------------------
+Get constraints (zimbraConstraint) for delegated admin on global config or a cos
+
+<GetDelegatedAdminConstraintsRequest type="config|cos" [id="..."] [name="..."]>
+  [<a name="{attr-name}">+]
+</GetDelegatedAdminConstraintsRequest>
+
+type: - if set to config, id and name is ignored
+        will retrieve constraints on global config 
+      - if set to cos, either id or name has to be specified to identify the cos
+      
+none or several attributes can be specified for which constraints are to be returned.
+If no attribute is specified, all constraints on the global config/cos will be returned.
+
+If there is no constraint for a requested attribute, <a> element for the attribute 
+will not appear in the response.
+  
+<GetDelegatedAdminConstraintsResponse type="config|cos" [id="..."] [name="..."]>  
+  [<a n="...">
+    <constraint>
+      [<min>{min}</min>]
+      [<max>{max}</max>]
+      [<values>
+         <v>...</v>+
+      </values>]
+    </constraint>   
+  </a>+]
+</GetDelegatedAdminConstraintsResponse>
+
+e.g.
+
+<GetDelegatedAdminConstraintsRequest type="cos" name="cos1">
+  <a name="zimbraMailQuota">
+</GetDelegatedAdminConstraintsRequest> 
+  
+<GetDelegatedAdminConstraintsResponse type="cos" id="e00428a1-0c00-11d9-836a-000d93afea2a" name="cos1">  
+  <a n="zimbraMailQuota">
+    <constraint>
+      <max>524288000</max>
+      <min>20971520</min>
+    </constraint>      
+  </a>
+</GetDelegatedAdminConstraintsResponse>
+
+----------------------------------------------------------
+Modify constraint (zimbraConstraint) for delegated admin on global config or a cos
+
+<ModifyDelegatedAdminConstraintsRequest type="config|cos" [id="..."] [name="..."]>
+  <a name="{attr-name}">
+    <constraint>
+      [<min>{min}</min>]
+      [<max>{max}</max>]
+      [<values>
+         <v>...</v>+
+      </values>]
+    </constraint>]  
+  </a>    
+</ModifyDelegatedAdminConstraintsRequest>
+
+If constraints for an attribute already exists, it will be replaced by the new constraints.
+If <constraint> is an empty element, constraints for the attribute will be removed.
+
+<ModifyDelegatedAdminConstraintsResponse/>