=========================
 Admin Permissions Howto
=========================

.. contents:: Contents
.. section-numbering::

-------
 Horde
-------

A Webmail-only installation without featuring the Horde portal
==============================================================

1. Of course, you will have to let IMP handle the authentication:

   * In the Administration/Setup menu, choose the *Horde (horde)* application, then the *Authentication* tab.

2. The Horde administrators will need Horde's *Administrator* menu, so you will need a user group to grant them particular permissions:

   * In the Administration/Groups menu, add a new group, say *Administrators*.

   * Add all Horde administrators to that group.

3. Now you are ready to set the permissions, so ordinary users won't see the Horde portal link:

   * In the Administration/Permissions menu, add the new permission: *Horde (horde)*.

   * Edit the *Horde (horde)* entry to grant the following permissions:

     * To all authenticated users: Read, Edit, Delete. (This will remove the sidebar menu entry for Horde.)

     * To the *Administrators* group: Show, Read, Edit, Delete. (This will retain the sidebar menu entry.)

4. Remove Horde from the top-bar menu (if it appears there at all):

   * As a Horde administrator, open (in the sidebar) the *Administration/Setup* menu.

   * In the *Application* field, choose the *Mail (imp)* entry.

     * Under the *External Utilities and Menu* tab, edit the *Menu settings*, then click on *Generate Mail Configuration*.

     * Note: You can, of course, use Turba and Ingo with your Webmail installation; in this case, you will here activate their respective entries for the Imp menu.

   * If you have Turba, or Ingo, installed then edit their respective menu settings, in the same way.

5. Instruct your users on how to set Horde's *Global Options*, particularly the preferred language:

   * In top bar of the *Options* submenu, in the *Edit options for* field, choose the *Global Options* application,

   * then, if necessary, klick on the *Go* button, nearby.

   * Note: In German, this bit is particularly confusing, as both Horde's *Global Options*, and Imp's *General Options* are termed alike, viz. *Allgemeine Einstellungen*.

   * Note: Alternatively, you could try to include Horde's *Global Options* with Imp's option menu, by modifying imp/config/prefs.php, but that is beyond the scope of this advice.

----

--------
 Hermes
--------

To allow authenticated users to see the time tracking module you must give at least Show and Read permissions to the "hermes" application

* Choose Administration --> Permissions

* Click on the All Permissions "keys" icon

* When the "Add a child Permission" pane appears, choose the Hermes module

* Click the Add button

* Click the "notepad" icon to edit the permissions for Hermes

* On the default permissions tab, check Show and Read

To allow a user to be able to Review time from other users you must make changes to the hermes permissions.  Here are the steps:

* Choose Administration --> Permissions

* If the Hermes permissions are not yet set, follow the steps above.

* Click on the Hermes "keys" icon

* When the "Add a child Permission pane appears, choose the Time Review module

* Click on the Permissions tab for the user or group that you want check, Show

----

-------
 Turba
-------

A read-only LDAP address book
=============================

To allow authenticated users to search the addressbook of your organization (provided it is kept on an LDAP server), and to use the e-mail addresses contained therein to compose messages:

1. Define, in turba/config/sources.php, that addressbook, using sizelimit, export, and browse to prevent large-scale address copying, e. g.:
::

 /** Central E-Mail Directory (read-only) **/
 $cfgSources['localldap'] = array('title' => _("E-Mail directory Example Ltd."),
                                  'type' => 'ldap',
                                  'params' => array('server'    => 'ldap.example.com',
                                                    'port'      => '389',
                                                    'tls'       => false,
                                                    'root'      => 'ou=people,o=Example Ltd.,c=com',
                                                    'charset'   => 'utf-8',
                                                    'sizelimit' => 200,
                                                    'scope'     => 'one',
                                                    'version'   => 3),
                                  'map'    => array('__key'     => 'dn',
                                                    'name'      => 'cn',
                                                    'email'     => 'mail'),
                                  'search' => array('name', 'email'),
                                  'strict' => array('dn'),
                                  'export' => false,
                                  'browse' => false);


2. Login to Horde as an administrator, then select the Administration/Permissions menu.1. Under *All Permissions*, add new permission *Address Book (turba)*

2. Under *Address Book (turba)*, add new permission *Sources (sources)*

3. Under *Sources (sources)*, add new permission *E-Mail directory Example Ltd. (localldap)*

4. Edit the added permissions to grant all authenticated users the following rights:

   * *Address Book (turba):* Show, Read, Edit, Delete (This will provide access to turba via the menus.)    

   * *Sources (sources):* Show, Read, Edit, Delete

   * *E-Mail directory Example Ltd. (localldap):* Show, Read (This will hide, in the several menus, all editing operations that would otherwise cause weird error messages.)