Upgrade Considerations

Important considerations for upgrading to this version of Delegated Admin:

PingDirectory 8.0.0.0 is now the minimum required version to use with Delegated Admin 4.0.0. If you are on an older version of PingDirectory, it will be necessary to upgrade to PingDirectory 8.0.0.0 to maintain compatibility.

Delegated Admin 3.5.1 is compatible with PingDirectory Server 8.0.0.0. However, versions of Delegated Admin that are earlier than 4.0.0 will not be compatible with versions of PingDirectory Server that are later than 8.0.0.0.

By default, the display name for the logged in delegated admin will no longer display. To re-configure this functionality, please see the section on enabling the name attribute to be returned with the OIDC id token. See the Delegated Admin Guide for more information.

The delegated-admin-template.dsconfig file has been updated to allow for generate-password extended requests and password validation details request controls. This change is not applied during an update. You must run the following two dsconfig commands when updating :
dsconfig set-access-control-handler-prop --add \
'global-aci:(extop="1.3.6.1.4.1.30221.2.6.62")(version 3.0; \
acl "Authenticated access to the generate-password extended \
request for the Delegated Admin API"; allow (read) userdn="ldap:///all";)'
dsconfig set-access-control-handler-prop \
--add 'global-aci:(targetcontrol="1.3.6.1.4.1.30221.2.5.40")\
(version 3.0;acl "Authenticated access to the password validation details request \
control for the Delegated Admin API"; allow (read) userdn="ldap:///all";)'

What's New

These are new features for this release of :

  • Invite new users via e-mail: Taking advantage of the new e-mail notification capabilities of 8.0.0.0, now administrators can configure the service so that when a delegated admin creates a new user, the server can send an HTML e-mail to tell the new user their password and invite them to use their new account. Combine this with PingFederate self-service profile management to invite the new user to complete their profile.
  • When creating users or resetting passwords, delegated admins now have the option to type in the new password or have the server generate a password. Previously the application only supported server-generated passwords.
  • More flexibility in delegating the management of user profiles: Now administrators can configure the service so that delegated admins of one type, such as Employee, can create and manage users of other types, such as Customers or Members. Previously delegated admins could only create and manage users of their own type.

Known Issues/Workarounds

The following are known issues in this version of Delegated Admin:

  • Deploying the Admin Console to an external container using JDK 11 requires downloading the following dependencies and making them available at runtime (for example, by copying them to the WEB-INF/lib directory of the exploded WAR file).
    • groupId:jakarta.xml.bind, artifactId:jakarta.xml.bind-api, version:2.3.2
    • groupId:org.glassfish.jaxb, artifactId:jaxb-runtime, version:2.3.2
    Workaround: Deploy the Console in an external container using JDK 8.

Resolved Issues

The following table identifies issues that have been resolved with this release of Delegated Admin:

Ticket ID Description
DS-39352 When adding a user to groups and there were no non-member groups to display, the notice text did not use proper context to reflect this state.
DS-39782 Constructed attributes were not updated in the application after their associated attributes were edited. A page refresh or subsequent data request was required to reflect the change for the constructed attribute in the application.
DS-40690 This scenario occurred when a delegated admin only had permission to edit users in certain groups. If the delegated admin then went to a user’s profile and removed them from the group which governed permission over that user, this action resulted in an application error.