PingDirectory

Parameterized Delegated Administrator Rights

Delegated Admin rights can be parameterized so that a single definition provides a pattern for new administrators.

This allows a privileged administrator for a hosting company to use Delegated Admin to onboard a new tenant administrator to manage resources for the tenant’s own organization. Using parameterized rights eliminates the need for the PingDirectory server configuration changes to create a new administrator.

In the following example, it’s assumed that there are three REST resource types configured:

  • orgs

  • groups

  • users

The users resource type has the parent resource type orgs.

$ bin/dsconfig create-delegated-admin-rights \
--rights-name "Tenant Admin" \
--set enabled:true \
--set 'admin-group-dn:cn=($1),ou=groups,dc=example,dc=com'

$ bin/dsconfig create-delegated-admin-resource-rights \
--rights-name "Tenant Admin" \
--rest-resource-type users --set enabled:true \
--set admin-permission:create \
--set admin-permission:read --set admin-permission:update \
--set 'resource-subtree:ou=($1),dc=example,dc=com'

$ bin/dsconfig create-delegated-admin-resource-rights \
--rights-name "Tenant Admin" \
--rest-resource-type orgs --set enabled:true \
--set admin-permission:reference \
--set 'resource-subtree:ou=($1),dc=example,dc=com'

A privileged admin can perform the following steps to onboard a new tenant in Delegated Admin:

  • Add a new org for the tenant.

  • Add a new group with the same name as the new org, representing the tenant admins.

  • Add a new user representing an initial tenant admin.

  • Add the new tenant admin user to the tenant admin group.

The tenant admin user can now sign on to the app and manage users for their own organization.