To use Delegated Admin, an administrator must possess more than valid credentials and an access token that PingDirectory Server can validate. He or she must possess rights that are designated through the PingDirectory Server configuration. To delegate users or groups as administrators, use the PingDirectory Server Administrator Console (Delegated Admin rights and resource rights) or the dsconfig create-delegated-admin-rights and create-delegated-admin-resource-rights commands.

The example commands in this section illustrate the configuration options for delegated administration and are performed on PingDirectory Server.

Note: Delegated administrators who manage only users in specified groups cannot create new users, and a new user cannot be assigned to one of the specified groups when created. Further, administrators who manage only specific subtrees cannot create users in an organization that does not reside under, or at the same level as, one of the subtrees.
  • The following commands restrict an administrator to manage users in specified subtrees:
    $ bin/dsconfig create-delegated-admin-rights \
      --rights-name admin1 \
      --set "admin-user-dn:uid=admin1,ou=people,dc=example,dc=com"
      --set enabled:true
      
    $ bin/dsconfig create-delegated-admin-resource-rights \
      --rights-name admin1 \
      --rest-resource-type users \
      --set admin-scope:resources-in-specific-subtrees \
      --set "resource-subtree:ou=org1,dc=example,dc=com" \
      --set admin-permission:create \
      --set admin-permission:read \
      --set admin-permission:update \
      --set admin-permission:delete \
      --set enabled:true
  • An administrator can be restricted to managing the member users of one or more specified groups. In the following example, we assume the existence of a static or dynamic group entry whose members include the users to be managed:
    $ bin/dsconfig create-delegated-admin-rights \
      --rights-name admin1 \
      --set "admin-user-dn:uid=admin1,ou=people,dc=example,dc=com"
      --set enabled:true
    $ bin/dsconfig create-delegated-admin-resource-rights \
      --rights-name admin1 \
      --rest-resource-type users \
      --set admin-scope:resources-in-specific-groups \
      --set "resources-in-group:cn=User Group,dc=example,dc=com" \
      --set admin-permission:read \
      --set admin-permission:update \
      --set enabled:true
  • Rather than delegate a single user as an administrator, you might find it more convenient to delegate an entire group of users as administrators, as follows:
    $ bin/dsconfig create-delegated-admin-rights \
      --rights-name admin-group1 \
      --set "admin-group-dn:cn=Admin Group,ou=people,dc=example,dc=com"
      --set enabled:true
    
    $ bin/dsconfig create-delegated-admin-resource-rights \
      --rights-name admin-group1 \
      --rest-resource-type users \
      --set admin-scope:all-resources-in-base \
      --set admin-permission:create \
      --set admin-permission:read \
      --set admin-permission:update \
      --set admin-permission:delete \
      --set enabled:true
    In this example, groups can be configured to manage specific subtrees or groups with the resources-in-specific-subtrees or resources-in-group setting for the admin-scope. For more information about PingDirectory Server administrators and configuring dynamic and static groups, refer to the PingDirectory Server Administration Guide.