PingDirectory

Delegated Admin

Consider the following points when upgrading your version of Delegated Admin.

Considerations

If you’re running Delegated Admin 3.5 or earlier, upgrade it to the latest version to use PingDirectory 8.0 or later.

For information about the compatibility between Delegated Admin and PingDirectory server versions, see the Compatibility matrix.

Upgrade considerations introduced in Delegated Admin 4.9

The default OpenID Connect (OIDC) grant type used by the dadmin client has been updated to Authorization Code with PKCE. The Delegated Admin application will continue to function normally with the Implicit grant type.

If you want to switch to Authorization Code with PKCE, see Changing the default OIDC grant type.

Upgrade considerations introduced in Delegated Admin 4.8

Two new permissions that affect user resource types have been added in Delegated Admin 4.8:

  • Update-profile grants the ability to update user profiles without allowing password-related privileges.

  • Reset-password grants the permission to reset passwords without the ability to change other user attributes.

To preserve current admin rights, no action is required after you upgrade.

Upgrade considerations introduced in Delegated Admin 4.6

To use the functionality that allows a help desk agent to trigger a password reset for a user, you must enable the Modifiable Password Policy State plugin on the PingDirectory server that serves as a resource backend.

To enable the Initiate Password Reset menu option on user entries, perform the following steps:

  1. Run the following command to enable the plugin needed for triggering Initiate Password Reset:

    dsconfig set-plugin-prop \
    --plugin-name "Modifiable Password Policy State Plugin" \
    --set enabled:true --set "base-dn:${searchbasedn}" \
    --set "filter:(|(objectClass=person)(objectClass=ds-cfg-user))"
  2. Run the following command to add a Delegated Admin attribute to the users rest type for ds-pwp-modifiable-state-json:

    dsconfig create-delegated-admin-attribute \
    --type-name users  \
    --attribute-type ds-pwp-modifiable-state-json  \
    --set "display-name:Modifiable Password Policy State"  \
    --set display-order-index:9999

When you install Delegated Admin 4.6 using the delegated-admin.dsconfig script, the Modifiable Password Policy State plugin is enabled. If you’re upgrading from a previous version of Delegated Admin, you must manually enable the plugin and add the ds-pwp-modifiable-state-json attribute as a Delegated Admin attribute.