I work at a university, where we have staff members who can also teach as an adjunct faculty member. We issue an account for the individual based on their name, so Joe Smith would get [email protected]. and it is up to them to sort through their mail for staff content versus adjunct content.
HR wants these individuals to have 2 accounts, one for their staff work and one for their adjunct work so the two are completely separated. One reason being that if the staff role is terminated for any reason, they shouldn't have access to their staff content, but could still continue in their adjunct role. Using the previous "Joe Smith" example they would keep their [email protected] account for staff work, and get the next iteration of our naming scheme as an additional [email protected] for their adjunct account.
I don't want to do this for a number of reasons:
- From a security perspective, I'd like 1 user to have 1 account
- It takes an extra email account license (we are using Zimbra)
- It's confusing to have two accounts that map to the same person for different roles
- In any case, the user has that content, and can do whatever they want with it: forward to their other account, save it to disk, whatever. So if HR has dreams of keeping any staff-only information from a user when their staff employment is terminated that is a pointless battle
Some options we have thought of:
- Create an alias and set up a persona in Zimbra - This solves the licensing issue and everything is in the same account, but is not separate in that if their staff employment is terminated they would still have access to all that stuff.
- Different domains - having [email protected] and [email protected] - This is still as crappy as the 2 account solution, now they are just spread across 2 domains
Has anyone else experienced a similar situation, and if so how did you deal with it?
I don't see anything wrong with the HR plan. It makes sense to me to keep the emails separated by role. If the additional licensing cost is approved then my opinion would be to go with it.
You have a point about a user accessing email sent to one role from the other role, but I think the point is to take appropriate steps to keep the roles distinct and unique, not to close any and every possible loophole that exists. If that were the case then you'd have a lot more work to do, and not just regarding email.
I agree with your point #4 - trying to limit people's access to emails after the fact is an exercise in futility.
Setting up email addresses that are both personal (which is what you've got with your smithj@ addresses) and role-based seems like a logistical nightmare: will you have to have things like: [email protected] and [email protected]? What about people who are promoted, or otherwise change their roles: [email protected] gets tenure and has to change to [email protected]?
If the specific emails should be separated, you won't be able to handle all emails within a single users account in Zimbra's mailstore. You could filter them for forwarding into specific folders, but for a complete separation you'll need different accounts.
An almost automatic solution for separation of emails into different accounts would be in using the recipient_delimiter option in Zimbra's Postfix or a virtual transport table with REGEX.
Then you could i.e. setup a second imapd like dovecot and forward specific mails to this daemon via LMTP. As auth mech you can use Zimbra's LDAP service, so you have no recurrently additional work with user accounts on the second imapd. In such a solution, dovecot will need to serve via non-standard ports to work parallel with Zimbra. With such a solution you'll have no additional license costs and the users have two accounts.
Another idea is to forward the emails from all users for a specific purpose into a single Zimbra account, filter them into different user folders and give them access to that folder via a subscription in their own accounts. That should be also handled automatically at least by a cron job. With that solution, the outgoing emails could be filtered and forwarded to that specific folders too.
Then the users have just to decide which identity they'll take for the outgoing emails: [email protected] or [email protected]