Configuring delegated administrator rights on the PingDirectory server
To delegate users or groups as administrators, use the PingDirectory Server Administrative Console (Delegated Admin rights and resource rights) or the dsconfig create-delegated-admin-rights
and create-delegated-admin-resource-rights
commands.
About this task
To use Delegated Admin, an administrator must possess rights that are designated through the PingDirectory server configuration in addition to valid credentials and an access token that the PingDirectory server can validate. Admin Permissions
create
-
The administrator can create new resources of this type.
read
-
The administrator can read resources of this type.
The
create
,delete
,update
,update-profile
,reset-password
, andmanage-group-membership
,update
permissions require theread
permission. update
-
The administrator can edit resources of this type.
delete
-
The administrator can delete resources of this type.
update-profile
-
The administrator can update user profiles but isn’t allowed password- change-related privileges.
For group and generic type resources, the
update-profile
permission gives the same rights as theupdate
permission. reset-password
-
The administrator can reset passwords without the ability to change other user attributes.
manage-group-membership
-
The administrator can manage the membership of a group resource by adding or removing members. This permission is only applicable to group resource types.
reference
-
The administrator can reference resources when selecting a parent during the creation of another resource. With the reference permission specified, the administrator can use a parent REST resource type without seeing the option to manage the parent resource type. For example, if the parent type for users is Organizational Unit, the administrator can have reference rights to the Organizational Unit resource type only. The administrator can create users without seeing the Manage Organizational Unit navigation option.
The administrator can reference resource types in Delegated Admin attributes. For example, the administrator can select user entries from a list based on their distinguished names (DNs) without displaying the actual values of the DNs.
download
-
The administrator can download reports for resources of this type. With this permission, the Download Report button shows on the Reporting page for the administrator.
upload
-
The administrator can upload a
.csv
file to import resources of this type. With this permission, the Upload File button shows on the Reporting page for the administrator.
For the parent resource type to be available for the creation of new entries under the parent, the |
To prevent changes that might break the configuration of the app, the app does not allow changes to RDN attributes of a resource entry DN, for resources referenced in the Delegated Admin server configuration. This includes the following configuration elements:
-
admin-user-DN
andadmin-group-DN
of Admin Rights -
resource-subtree
andresources-in-group
of Admin Resource Rights
For example, if an Admin Rights configuration contains admin-group-DN: cn=Admin
Group,dc=example,dc=com
and some administrator has rights to modify that particular group through the app, then the cn
attribute of that group can’t be changed without invalidating the configuration. The attribute label has a lock icon and a message indicating that the value can only be changed by a server administrator.
The example commands that follow illustrate the configuration options for delegated administration and are performed on the PingDirectory server.
Administrators who manage only specific subtrees can’t create users in an organization that does not reside under, or at the same level as, one of the subtrees. |
Steps
-
Restrict an administrator to manage users in specified subtrees.
Example:
$ bin/dsconfig create-delegated-admin-rights \ --rights-name admin1 \ --set "admin-user-dn:uid=admin1,ou=people,dc=example,dc=com" \ --set enabled:true $ bin/dsconfig create-delegated-admin-resource-rights \ --rights-name admin1 \ --rest-resource-type users \ --set admin-scope:resources-in-specific-subtrees \ --set "resource-subtree:ou=org1,dc=example,dc=com" \ --set admin-permission:create \ --set admin-permission:read \ --set admin-permission:update \ --set admin-permission:delete \ --set enabled:true
-
Restrict an administrator to managing the member users of one or more specified groups.
Example:
In the following example, assume the existence of a static or dynamic group entry whose members include the users to be managed.
$ bin/dsconfig create-delegated-admin-rights \ --rights-name admin1 \ --set "admin-user-dn:uid=admin1,ou=people,dc=example,dc=com" --set enabled:true $ bin/dsconfig create-delegated-admin-resource-rights \ --rights-name admin1 \ --rest-resource-type users \ --set admin-scope:resources-in-specific-groups \ --set "resources-in-group:cn=User Group,dc=example,dc=com" \ --set admin-permission:read \ --set admin-permission:update \ --set enabled:true
-
Assign the delegated admin rights to a group REST resource type that matches the specified group.
For more information, see Manage groups.
-
Rather than delegate a single user as an administrator, delegate an entire group of users as administrators.
For more information about the PingDirectory server administrators and configuring dynamic and static groups, see the PingDirectory Server Administration Guide.
Example:
In this example, groups can be configured to manage specific subtrees or groups with the
resources-in-specific-subtrees
orresources-in-group
setting for theadmin-scope
.$ bin/dsconfig create-delegated-admin-rights \ --rights-name admin-group1 \ --set "admin-group-dn:cn=Admin Group,ou=people,dc=example,dc=com" --set enabled:true $ bin/dsconfig create-delegated-admin-resource-rights \ --rights-name admin-group1 \ --rest-resource-type users \ --set admin-scope:all-resources-in-base \ --set admin-permission:create \ --set admin-permission:read \ --set admin-permission:update \ --set admin-permission:delete \ --set enabled:true