Have not found any discussion on this matter, as, probably, for onsite inhouse (or within local admin control) ZCS installations this might be not necessary. But anyway...

We are planning to evolve our server administration and customer support services for our customers (as a small ISP) and I was bothering about our customers' data security. For sure, we are planning several layers of access, including administration of ZCS servers and customer accounts. But for now, I have not found any reasonable solution to prevent ZCS server administrators to access our customers' data in mailboxes.

What might be considered as a good practice to limit or control such access? Our potential customers often ask this question. For now, I do not have any specific answer, rather relying on trust, long term business targets, etc. Can anybody share their thoughts or solutions for that?

The one, that comes in my mind, is artificially limit such admin's access via controlling log files and providing decent support system - e.g. no admin access to user accounts should happen, if no relevant support ticket is issued or in progress. But still this might be a fight after bad things happen. As well, how to limit permissions or accessibility for senior/junior admins, as senior might be the most trusted ones (again trust).

Another - letting somebody to administer ZCS from CLI only, by not letting access to admin interface, but this might be a partial solution, and has to be controlled outside Zimbra stack.

What are good practices at your place, guys, dealing with multi-domain customers?