Delegated Admin rights can be parameterized such that a single definition provides a pattern for new administrators. In this way a privileged administrator for a hosting company can use Delegated Admin to onboard a new tenant administrator to manage resources for the tenant's own organization. Using parameterized rights eliminates the need for Directory Server configuration changes to create a new administrator.

In the following example, it is assumed that there are three REST resource types configured: orgs, groups and users. The users resource type has the parent resource type orgs.
$ bin/dsconfig create-delegated-admin-rights \
--rights-name "Tenant Admin" \
--set enabled:true \
--set 'admin-group-dn:cn=($1),ou=groups,dc=example,dc=com'

$ bin/dsconfig create-delegated-admin-resource-rights \
--rights-name "Tenant Admin" \
--rest-resource-type users --set enabled:true \
--set admin-permission:create \
--set admin-permission:read --set admin-permission:update \
--set 'resource-subtree:ou=($1),dc=example,dc=com'

$ bin/dsconfig create-delegated-admin-resource-rights \
--rights-name "Tenant Admin" \
--rest-resource-type orgs --set enabled:true \
--set admin-permission:reference \
--set 'resource-subtree:ou=($1),dc=example,dc=com'
A privileged admin can perform the following steps to onboard a new tenant in Delegated Admin:
  • Add a new org for the tenant.
  • Add a new group with the same name as the new org, representing the tenant admins.
  • Ads a new user representing an initial tenant admin.
  • Add the new tenant admin user to the tenant admin group

The tenant admin user can now log in to the app and manage users for their own organization.