I've just begun experimenting with the Zimbra ACLs. I have an admin person that I want to allow to use the "adminLoginAs" feature, but just on a few specific accounts.

I've created an Administrator group and added his account as a member. Then on the Configure Grants tab for this group I've given these rights.

Code:
GRANTEE NAME     TARGET NAME     TARGET TYPE     RIGHT NAME
admingroup@my.domain     target@my.domain     account     adminLoginAs
admingroup@my.domain     my.domain                    domain      adminConsoleAccountRights
It works fine this way, but giving the "adminConsoleAccountRights" at the domain is giving more rights than I want to allow. The adminLoginAs doesn't work if I take that away....they cannot search the domain for the account in the Admin Console. If I give "listAccount" or "getAccount", they can find the account...they can click on the "View Mail" button and it looks like it's going to open the mailbox in a new tab....but it eventually times out.

Just trying to figure out the magic combination to allow the adminLoginAs and nothing else.

Thanks,
Matt