To delegate users or groups as administrators, use the PingDirectory Server Administrative Console (Delegated Admin rights and resource rights) or the dsconfig create-delegated-admin-rights and create-delegated-admin-resource-rights commands.
To use Delegated Admin, an administrator must possess rights that are designated through the PingDirectory server configuration in addition to valid credentials and an access token that the PingDirectory server can validate.
- Admin Permissions
create
- The administrator can create new resources of this type.
read
- The administrator can read resources of this type. Note:
The
create
,delete
,update
,update-profile
,reset-password
, andmanage-group-membership
,update
permissions require theread
permission. update
- The administrator can edit resources of this type.
delete
- The administrator can delete resources of this type.
update-profile
- The administrator can update user profiles but isn't allowed password-
change-related privileges.
For group and generic type resources, the
update-profile
permission gives the same rights as theupdate
permission. reset-password
- The administrator can reset passwords without the ability to change other user attributes.
manage-group-membership
- The administrator can manage the membership of a group resource by adding or removing members. This permission is only applicable to group resource types.
reference
-
The administrator can reference resources when selecting a parent during the creation of another resource. With the reference permission specified, the administrator can use a parent REST resource type without seeing the option to manage the parent resource type. For example, if the parent type for users is Organizational Unit, the administrator can have reference rights to the Organizational Unit resource type only. The administrator can create users without seeing the Manage Organizational Unit navigation option.
The administrator can reference resource types in Delegated Admin attributes. For example, the administrator can select user entries from a list based on their distinguished name (DN) without displaying the actual values of the DNs.
download
- The administrator can download reports for resources of this type. With this permission, the Download Report button shows on the Reporting page for the administrator.
upload
- The administrator can upload a .csv file to import resources of this type. With this permission, the Upload File button shows on the Reporting page for the administrator.
For the parent resource type to be available for the creation of new entries under
the parent, the read
or reference
permission must
be specified.
To prevent changes that might break the configuration of the app, the app does not allow changes to RDN attributes of a resource entry DN, for resources referenced in the Delegated Admin server configuration. This includes the following configuration elements:
admin-user-DN
andadmin-group-DN
of Admin Rightsresource-subtree
andresources-in-group
of Admin Resource Rights
For example, if an Admin Rights configuration contains admin-group-DN: cn=Admin
Group,dc=example,dc=com
and some administrator has rights to modify that
particular group through the app, then the cn
attribute of that group
can't be changed without invalidating the configuration. The attribute label has a lock
icon and a message indicating that the value can only be changed by a server
administrator.
The example commands that follow illustrate the configuration options for delegated administration and are performed on the PingDirectory server.
Administrators who manage only specific subtrees can't create users in an organization that does not reside under, or at the same level as, one of the subtrees.