To use Delegated Admin, an administrator must possess more than valid credentials and an access token that PingDirectory Server can validate. He or she must possess rights that are designated through the PingDirectory Server configuration. To delegate users or groups as administrators, use the PingDirectory Server Administrator Console (Delegated Admin rights and resource rights) or the dsconfig create-delegated-admin-rights and create-delegated-admin-resource-rights commands.
- Admin Permissions
- create:
- The administrator can create new resources of this type.
- read:
- The administrator can read resources of this type. Note:
The create, delete, manage-group-membership, and update permissions require the read permission.
- update:
- The administrator can edit resources of this type.
- delete:
- The administrator can delete resources of this type. Reserved for future use when supported by the app.
- reference:
- The administrator can reference resources when selecting a parent during the creation of another resource. With the reference permission specified, the administrator can use a parent REST resource type without seeing the option to manage the parent resource type. For example, if the parent type for users is Organizational Unit, the administrator can have reference rights to the Organizational Unit resource type only. The administrator can create users without seeing the Manage Organizational Unit navigation option.
- manage-group-membership:
- The administrator can manage the membership of a group resource, by adding or removing members. This permission is only applicable to group resource types.
For the parent resource type to be available for the creation of new entries under the parent, the read or reference permission must be specified.
The example commands in this section illustrate the configuration options for delegated administration and are performed on PingDirectory Server.