Delegated mailboxes
A delegated mailbox is a mailbox that can be accessed by other employees. This can be useful when employees need to respond to customers in place of their colleague who went on vacation or in other similar situations.
Limitation
You can only delegate mailboxes that have their owners' accounts created on the organization's domain.
Preparing to work with delegated mailboxes via the API
All operations with delegated mailboxes are currently available via the API only.
-
To work with the API, you'll need an OAuth token, which you can get after creating an application in the Yandex OAuth service.
- If you don't have an OAuth application yet, follow the instructions on the Access to API page to create one and obtain a token. When creating an application, select the permissions
ya360_admin:mail_read_shared_mailbox_inventory
andya360_admin:mail_write_shared_mailbox_inventory
. - If you already have an OAuth application for working with the Yandex 360 for Business API, add permissions to view and edit mailbox access settings to it and then get a new OAuth token following this instruction.
- If you don't have an OAuth application yet, follow the instructions on the Access to API page to create one and obtain a token. When creating an application, select the permissions
-
Gather data needed for API requests.
-
Find the organization ID: go to admin.yandex.ru and select General settings → Company profile. You can see the ID below the organization name.
-
Find the ID of the employee who needs access. To do this:
-
Select Users → Employees.
-
Find the line with the employee you need and click their name.
-
Right-click the employee's username and copy the link address.
-
Insert the address into any text editor. The ID is the part of the address after
uid=
. For example, in the addresshttps://staff.yandex.ru/bb?org_id=5487632&uid=2260000054273165
the ID is
2260000054273165
.Is it possible to find employee IDs using the API?
Sure. There's a request that returns the list of IDs. View documentation.
-
-
Enable mailbox delegation
Note
There's a limit on the number of delegated mailboxes in the organization. For more information about the existing limitations, see the Limits section on the "Shared access" page.
When you enable delegation for a mailbox, this mailbox is considered delegated even if access by other employees is not yet configured. When you no longer need shared access to the mailbox, disable the delegation option so that it doesn't count toward the available limit.
-
Prepare a file named resource.json that will contain the data for the request. You can do it in any text editor. In the file, specify the ID of the owner of the mailbox for which you're enabling delegation. Use the following format:
{ "resourceId": "{OWNER}" }
where
{OWNER}
is the ID of the delegated mailbox owner you got at Step 2.2 of the "Preparing to work with delegated mailboxes" instruction. -
Enable mailbox delegation by sending a request to the API:
-
HTTP method:
PUT
-
Request URL:
https://api360.yandex.net/admin/v1/org/{ORGANIZATION}/mailboxes/delegated
where
{ORGANIZATION}
is the ID of the organization you got at Step 2.1 of the "Preparing to work with delegated mailboxes" instruction.Example
https://api360.yandex.net/admin/v1/org/1234567/mailboxes/delegated
-
Headers:
Authorization: OAuth {OAUTH TOKEN} Content-Type: application/json
where
{OAUTH-TOKEN}
is the OAuth token you got at Step 1 of the "Preparing to work with delegated mailboxes" instruction. -
Request body is in the resource.json file you created at Step 1 of this instruction.
If you use Windows, you can submit a request to enable mailbox delegation using a
curl
command formatted as follows:curl -X PUT -H "Authorization: OAuth {OAUTH TOKEN}" -H "Content-Type: application/json" -d "@resource.json" https://api360.yandex.net/admin/v1/org/{ORGANIZATION}/mailboxes/delegated
where
{OAUTH-TOKEN}
is the OAuth token you got at Step 1 of the "Preparing to work with delegated mailboxes" instruction.
resource.json
is the file with the request body created at Step 1 of this instruction.
{ORGANIZATION}
is the ID of the organization you got at Step 2.1 of the "Preparing to work with delegated mailboxes" instruction.I don't understand how to do this
-
Prepare the command: copy and paste the sample code above into any text editor, replacing the values with your token and IDs.
-
Open the folder containing the resource.json file.
-
Click on empty space in the address bar.
-
Type
cmd
there and press Enter. -
The "Command line" window will open. Insert the command you've prepared and press Enter.
-
-
Analyze the response you get: if the request is successful, you'll get the
200 OK
status code with the ID of the mailbox for which the delegation option was enabled.
Provide access to the mailbox
To allow other employees to access the mailbox, you first need to enable the delegation option.
Group operations for access provisioning are not yet supported. With one request, you can provide, modify, or restrict access rights only for one employee and only to one mailbox. But you can submit multiple such requests at a time.
-
Prepare a file named roles.json that will contain the data for the request. You can do it in any text editor. In the file, specify the roles of the employee to whom you're granting access to the mailbox. For the description of roles, see Roles and access rights.
Sample roles.json file:
{ "roles": [ "shared_mailbox_imap_admin", "shared_mailbox_half_sender" ] }
The list should include either the
shared_mailbox_sender
role or theshared_mailbox_owner
role, as they're responsible for read access. -
Send a request to the API to provide employees with access to the delegated mailbox:
-
HTTP method:
POST
-
Request URL:
https://api360.yandex.net/admin/v1/org/{ORGANIZATION}/mailboxes/set/{OWNER}?actorId={EMPLOYEE WITH ACCESS}¬ify={NOTIFICATION DELIVERY PARAMETER}
where
{ORGANIZATION}
is the ID of the organization you got at Step 2.1 of the "Preparing to work with delegated mailboxes" instruction.
{OWNER}
is the mailbox owner ID you got at Step 2.2 of the "Preparing to work with delegated mailboxes" instruction.
{EMPLOYEE WITH ACCESS}
is the ID of the employee who needs to be granted access to the mailbox. You got it at Step 2.2 of the "Preparing to work with delegated mailboxes" instruction.
{NOTIFICATION DELIVERY PARAMETER}
is the parameter that determines who needs to receive a notification email about changes in mailbox access rights. Possible values:all
,delegates
,none
. For the descriptions of the parameter values, see Notifications.Example
https://api360.yandex.net/admin/v1/org/1234567/mailboxes/mailboxes/set/2260000054273165?actorId=3340000075421587¬ify=all
-
Headers:
Authorization: OAuth {OAUTH TOKEN} Content-Type: application/json
where
{OAUTH-TOKEN}
is the OAuth token you got at Step 1 of the "Preparing to work with delegated mailboxes" instruction. -
Request body is in the roles.json file you created at Step 1 of this instruction.
If you use Windows, you can submit a request to provide mailbox access using a
curl
command formatted as follows:curl -X POST -H "Authorization: OAuth {OAUTH TOKEN}" -H "Content-Type: application/json" -d "@roles.json" https://api360.yandex.net/admin/v1/org/{ORGANIZATION}/mailboxes/set/{OWNER}?actorId={EMPLOYEE WITH ACCESS}¬ify={NOTIFICATION DELIVERY PARAMETER}
where
{OAUTH-TOKEN}
is the OAuth token you got at Step 1 of the "Preparing to work with delegated mailboxes" instruction.
roles.json
is the file with the request body created at Step 1 of this instruction.
{ORGANIZATION}
is the ID of the organization you got at Step 2.1 of the "Preparing to work with delegated mailboxes" instruction.
{OWNER}
is the mailbox owner ID you got at Step 2.2 of the "Preparing to work with delegated mailboxes" instruction.
{EMPLOYEE WITH ACCESS}
is the ID of the employee who needs to be granted access to the mailbox. You got it at Step 2.2 of the "Preparing to work with delegated mailboxes" instruction.
{NOTIFICATION DELIVERY PARAMETER}
is the parameter that determines who needs to receive a notification email about changes in mailbox access rights. Possible values:all
,delegates
,none
. For the descriptions of the parameter values, see Notifications. -
-
Analyze the response you get: if the request is successful, you'll get the
200 OK
status code with the ID of the task for changing permissions. Save the ID you obtained. -
To check that access has been granted, send another request with task ID pasted into it:
curl -X GET -H "Authorization: OAuth {OAUTH TOKEN}" https://api360.yandex.net/admin/v1/org/{ORGANIZATION}/mailboxes/tasks/{TASK ID}
In response, you'll get the status of the task for changing permissions. The permissions are successfully changed if the response contains the value
complete
.
Change mailbox access rights
To change an employee's access rights to the mailbox, follow the instruction for granting access and replace the list of roles in the roles.json file.
Disable access to the mailbox
To disable access to the mailbox for a specific employee, follow the instruction for granting access and specify an empty list in the roles.json file that lists available roles:
{
"roles": []
}
When you disable access for an employee, the mailbox is still considered delegated, even if the only person that retains access to it is its owner. To undelegate the mailbox, you need to disable the delegation option.
Disable mailbox delegation
To disable the option to delegate the mailbox, send a DELETE request:
curl -X DELETE -H "Authorization: OAuth {OAUTH TOKEN}" https://api360.yandex.net/admin/v1/org/{ORGANIZATION}/mailboxes/delegated/{OWNER}
When you disable the mailbox delegation option, all employees who have access to this mailbox will lose this access.
API documentation
For a complete description of all access control methods, see the documentation.
An API is a special mechanism for managing Yandex 360 services, designed primarily for process automation. There are two ways to work with the API: create a special application (which can be done by a developer) or use the computer's command line. You can find the developer documentation here.
Special code allowing access to data on behalf of a specific user.
An API request to create a new resource on the server. It's used to send data to the server to create a new item or perform an action.
An API request to delete an existing resource on the server. It's used to delete a resource by its ID or another unique identifier.