Page created: 22 Jul 2020
|
Page updated: 1 Feb 2021
Delegated Admin rights can be parameterized such that a single definition provides a pattern for new administrators. In this way a privileged administrator for a hosting company can use Delegated Admin to onboard a new tenant administrator to manage resources for the tenant's own organization. Using parameterized rights eliminates the need for Directory Server configuration changes to create a new administrator.
In the following example, it is assumed that there are three REST resource types configured:
orgs, groups and users. The users resource type has the parent resource type orgs.
$ bin/dsconfig create-delegated-admin-rights \
--rights-name "Tenant Admin" \
--set enabled:true \
--set 'admin-group-dn:cn=($1),ou=groups,dc=example,dc=com'
$ bin/dsconfig create-delegated-admin-resource-rights \
--rights-name "Tenant Admin" \
--rest-resource-type users --set enabled:true \
--set admin-permission:create \
--set admin-permission:read --set admin-permission:update \
--set 'resource-subtree:ou=($1),dc=example,dc=com'
$ bin/dsconfig create-delegated-admin-resource-rights \
--rights-name "Tenant Admin" \
--rest-resource-type orgs --set enabled:true \
--set admin-permission:reference \
--set 'resource-subtree:ou=($1),dc=example,dc=com'
A privileged admin can perform the following steps to onboard a new tenant in Delegated Admin:
- Add a new org for the tenant.
- Add a new group with the same name as the new org, representing the tenant admins.
- Ads a new user representing an initial tenant admin.
- Add the new tenant admin user to the tenant admin group
The tenant admin user can now log in to the app and manage users for their own organization.