PingDirectory

Configuring delegated administrator rights on the PingDirectory server

To delegate users or groups as administrators, use the PingDirectory Server Administrative Console (Delegated Admin rights and resource rights) or the dsconfig create-delegated-admin-rights and create-delegated-admin-resource-rights commands.

About this task

To use Delegated Admin, an administrator must possess rights that are designated through the PingDirectory server configuration in addition to valid credentials and an access token that the PingDirectory server can validate.

Admin Permissions
create

The administrator can create new resources of this type.

read

The administrator can read resources of this type.

The create, delete, update, update-profile, reset-password, and manage-group-membership, update permissions require the read permission.

update

The administrator can edit resources of this type.

delete

The administrator can delete resources of this type.

update-profile

The administrator can update user profiles but isn’t allowed password- change-related privileges.

For group and generic type resources, the update-profile permission gives the same rights as the update permission.

reset-password

The administrator can reset passwords without the ability to change other user attributes.

manage-group-membership

The administrator can manage the membership of a group resource by adding or removing members. This permission is only applicable to group resource types.

reference

The administrator can reference resources when selecting a parent during the creation of another resource. With the reference permission specified, the administrator can use a parent REST resource type without seeing the option to manage the parent resource type. For example, if the parent type for users is Organizational Unit, the administrator can have reference rights to the Organizational Unit resource type only. The administrator can create users without seeing the Manage Organizational Unit navigation option.

The administrator can reference resource types in Delegated Admin attributes. For example, the administrator can select user entries from a list based on their distinguished name (DN) without displaying the actual values of the DNs.

download

The administrator can download reports for resources of this type. With this permission, the Download Report button shows on the Reporting page for the administrator.

upload

The administrator can upload a .csv file to import resources of this type. With this permission, the Upload File button shows on the Reporting page for the administrator.

For the parent resource type to be available for the creation of new entries under the parent, the read or reference permission must be specified.

To prevent changes that might break the configuration of the app, the app does not allow changes to RDN attributes of a resource entry DN, for resources referenced in the Delegated Admin server configuration. This includes the following configuration elements:

  • admin-user-DN and admin-group-DN of Admin Rights

  • resource-subtree and resources-in-group of Admin Resource Rights

    For example, if an Admin Rights configuration contains admin-group-DN: cn=Admin Group,dc=example,dc=com and some administrator has rights to modify that particular group through the app, then the cn attribute of that group can’t be changed without invalidating the configuration. The attribute label has a lock icon and a message indicating that the value can only be changed by a server administrator.

    The example commands that follow illustrate the configuration options for delegated administration and are performed on the PingDirectory server.

    Administrators who manage only specific subtrees can’t create users in an organization that does not reside under, or at the same level as, one of the subtrees.

Steps

  • Restrict an administrator to manage users in specified subtrees.

    Example:

    $ bin/dsconfig create-delegated-admin-rights \
      --rights-name admin1 \
      --set "admin-user-dn:uid=admin1,ou=people,dc=example,dc=com" \
      --set enabled:true
    
    $ bin/dsconfig create-delegated-admin-resource-rights \
      --rights-name admin1 \
      --rest-resource-type users \
      --set admin-scope:resources-in-specific-subtrees \
      --set "resource-subtree:ou=org1,dc=example,dc=com" \
      --set admin-permission:create \
      --set admin-permission:read \
      --set admin-permission:update \
      --set admin-permission:delete \
      --set enabled:true
  • Restrict an administrator to managing the member users of one or more specified groups.

    Example:

    In the following example, assume the existence of a static or dynamic group entry whose members include the users to be managed.

    $ bin/dsconfig create-delegated-admin-rights \
      --rights-name admin1 \
      --set "admin-user-dn:uid=admin1,ou=people,dc=example,dc=com"
      --set enabled:true
    $ bin/dsconfig create-delegated-admin-resource-rights \
      --rights-name admin1 \
      --rest-resource-type users \
      --set admin-scope:resources-in-specific-groups \
      --set "resources-in-group:cn=User Group,dc=example,dc=com" \
      --set admin-permission:read \
      --set admin-permission:update \
      --set enabled:true
  • Assign the delegated admin rights to a group REST resource type that matches the specified group.

    For more information, see Manage groups.

  • Rather than delegate a single user as an administrator, delegate an entire group of users as administrators.

    For more information about the PingDirectory server administrators and configuring dynamic and static groups, see the PingDirectory Server Administration Guide.

    Example:

    In this example, groups can be configured to manage specific subtrees or groups with the resources-in-specific-subtrees or resources-in-group setting for the admin-scope.

    $ bin/dsconfig create-delegated-admin-rights \
      --rights-name admin-group1 \
      --set "admin-group-dn:cn=Admin Group,ou=people,dc=example,dc=com"
      --set enabled:true
    
    $ bin/dsconfig create-delegated-admin-resource-rights \
      --rights-name admin-group1 \
      --rest-resource-type users \
      --set admin-scope:all-resources-in-base \
      --set admin-permission:create \
      --set admin-permission:read \
      --set admin-permission:update \
      --set admin-permission:delete \
      --set enabled:true