Use the following commands to delegate a user as a group administrator:

$ bin/dsconfig create-delegated-admin-rights \
  --rights-name group-admin1 \
  --set "admin-user-dn:uid=admin1,ou=people,dc=example,dc=com"
  --set enabled:true
   
$ bin/dsconfig create-delegated-admin-resource-rights \
  --rights-name group-admin1 \
  --rest-resource-type groups \
  --set admin-scope:resources-in-specific-subtrees \
  --set "resource-subtree:ou=Groups,dc=example,dc=com" \
  --set admin-permission:manage-group-membership \
  --set admin-permission:create \
  --set admin-permission:read \
  --set admin-permission:update \
  --set admin-permission:delete \
  --set enabled:true
   
$ bin/dsconfig create-delegated-admin-resource-rights \
  --rights-name group-admin1 \
  --rest-resource-type users \
  --set admin-scope:resources-in-specific-subtrees \
  --set "resource-subtree:ou=org1,dc=example,dc=com" \
  --set admin-permission:read \
  --set enabled:true

The administrative scope for users determines which users are visible to the group administrator. In this example, all users in the subtree ou=org1,dc=example,dc=com are visible. An administrator can be configured to edit users as well as to manage group memberships.

The group administrator can view, add, and remove any of the users within their administrative scope to the membership of groups within the groups' administrative scope. Static groups can be nested. Users who belong indirectly to a group through nesting are visible as group members but cannot be removed. Users can be removed only from the group of which they are a member. For example, an Employees group might include a Developers group as a nested member. In such a scenario, a user in the Developers group is a direct member of that group and an indirect member of Employees. This member can be removed only when viewing the Developers group, not when viewing the Employees group.

If a group is configured as a dynamic or virtual static group rather than a static group, then the group and its members are visible, but the group membership cannot be modified.

Set group attributes

The default settings for group attributes specify cn and description as group attributes, with cn used for the group title in Delegated Admin. To create the default settings, use the following commands with a search DN and parent DN ("dc=example,dc=com"):

$ bin/dsconfig create-rest-resource-type \
  --type group \
  --type-name groups \
  --set "display-name:Groups" \
  --set enabled:false \
  --set "search-base-dn:dc=example,dc=com" \
  --set primary-display-attribute-type:cn \
  --set resource-endpoint:groups \
  --set "search-filter-pattern:(cn=*%%*)" \
  --set structural-ldap-objectclass:groupOfUniqueNames
  --set parent-dn:dc=example,dc=com 

$ bin/dsconfig create-delegated-admin-attribute \
  --type-name groups \
  --attribute-type cn \
  --set "display-name:Name"

$ bin/dsconfig create-delegated-admin-attribute \
  --type-name groups \
  --attribute-type description \
  --set "display-name:Description"

$ bin/dsconfig set-rest-resource-type-prop \
  --type-name groups \
  --set enabled:true

Set group search filter

When entering text to search for groups, the groups' search-filter-pattern property specifies the attributes to be searched in PingDirectory Server. To satisfy the query, define the appropriate attribute indexes for PingDirectory Server. The default setting searches the attribute cn for the search text, which is represented by %%. Use the following command to set the group search filter:

$ bin/dsconfig set-rest-resource-type-prop \
  --type-name groups \
  --set 'search-filter-pattern:(cn=*%%*)'

For more information about managing groups, refer to PingDirectory Server Administrator Guide.