Multi-admin Control Panel Access and Audit Trail
Mail Assure provides a multi-level access structure for Admin, Sub-admin, Domain and Email level users. An unlimited hierarchy can be created where each parent account has full access to underlying domains, and associated Sub-admin, Domain and Email users.
For each Admin, Domain or Email user account, only one username/password is supported for each account. All activity for each username and IP address is logged on the platform. For larger organizations with more than one admin user requiring access to an account, a solution is required that does not involve sharing the account password. In this situation, a simple Single-Sign-On (SSO) module is available via the API (see the Authentication section), allowing integration with your external control panel(s), billing system or support system. Using this method, each user's activities are tracked by the system and revealed in the audit trail.
There are many opensource modules available for integration with your control panel.
If your platform is not available, the link can be generated from the command-line or any programming language and then displayed to the user so they can access the system. By passing the optional 'identifier' variable, an audit trail related to that identifier will be recorded, so that you can identify the actions performed by each user.
The following shows a simple API method to generate authtickets:
Method for authentication tickets generation. Such tickets can be used for webinterface access without the need to enter a username and the password. A new authticket can be used for several login attempts, however it expires after 15 minutes.
username (string): Username of a user to create authticket for identifier (string): Custom identifier for client username in the API logging. -OPTIONAL
The following example uses Curl:
adminusername: Replace with your Mail Assure admin access credentials, it will allow the generation of an authticket for any related sub-admin, domain, or email user
password: Replace with your Mail Assure admin password
subadminexample: Replace this with the username you wish to grant access to
staffmembername: Replace this with an optional identifier for the audit trail. For example matching the username of the specific staff member that is granted access.
The command will return a string (e.g. “736586bf5983138a6408bb145a3fbc9985091bf7”), which you can use for the SSO URL and display in your control panel to the authorized user:
Make sure the admin credentials in the script are secured, and not accessible externally. Additionally, ensure the authticket is only exposed to authorized users.
The following shows a PHP example:
// ========== Parameters section ==========
// This is a sample sso.php script, please ensure to only use this in a secured environment
// This script can be called via url:
// The GET variable 'u' in the URL should contain the (sub-)admin, domain, or email for which you want
// to create an one-click-login link.
// API documentation is available at https://antispam.webserver.hostname
$cfg = array(
'panel_host' => 'antispam.hostname', // Please set the webinterface hostname.
'admin_user' => 'admin_username', // Please set your admin username.
'admin_pass' => 'admin_password', // Please set your admin password.
'identifier' => 'custom_identifier', // This is a custom field allowing to set an identifier for auditing, as all activity will be logged using this variable
'new_window' => 0, // In case of 'output' parameter = 'link' this parameter tells where to open login link - in the same window (0) or in the new window (1)
'https://' . $cfg['admin_user'] . ':' . $cfg['admin_pass'] . '@' . rtrim($cfg['panel_host'], '/')
. '/api/authticket/create/username/' . (!empty($_REQUEST['u']) ? rawurlencode($_REQUEST['u']) : '');
$authTicket = trim(file_get_contents($createAuthTicketURL));
$url = 'https://' . rtrim($cfg['panel_host'], '/') . '/?authticket=' . $authTicket . '&identifier= ' . $identifier;