This allows a privileged administrator for a hosting company to use Delegated Admin to onboard a new tenant administrator to manage resources for the tenant's own organization. Using parameterized rights eliminates the need for the PingDirectory server configuration changes to create a new administrator.

In the following example, it's assumed that there are three REST resource types configured:

  • orgs
  • groups
  • users
The users resource type has the parent resource type orgs.
$ bin/dsconfig create-delegated-admin-rights \
--rights-name "Tenant Admin" \
--set enabled:true \
--set 'admin-group-dn:cn=($1),ou=groups,dc=example,dc=com'

$ bin/dsconfig create-delegated-admin-resource-rights \
--rights-name "Tenant Admin" \
--rest-resource-type users --set enabled:true \
--set admin-permission:create \
--set admin-permission:read --set admin-permission:update \
--set 'resource-subtree:ou=($1),dc=example,dc=com'

$ bin/dsconfig create-delegated-admin-resource-rights \
--rights-name "Tenant Admin" \
--rest-resource-type orgs --set enabled:true \
--set admin-permission:reference \
--set 'resource-subtree:ou=($1),dc=example,dc=com'

A privileged admin can perform the following steps to onboard a new tenant in Delegated Admin:

  • Add a new org for the tenant.
  • Add a new group with the same name as the new org, representing the tenant admins.
  • Add a new user representing an initial tenant admin.
  • Add the new tenant admin user to the tenant admin group.

The tenant admin user can now sign on to the app and manage users for their own organization.