Upgrade Considerations

If you are running Delegated Administration application version 3.5 or older, you will need to upgrade it to the latest version if you want to use PingDirectory 8.0 or newer.

What's New

These are new features for this release of PingDirectory Delegated Admin:
  • Delegated Admin 4.1
    • For Delegated Admin, administrators can be assigned rights to manage different types of resources such as users and groups. Previously, administrators who can only manage users in specified groups could not create users to put them in the one of the groups they managed. Now, administrators with the ability to manage and create groups can create users within the group(s) they manage.
    • REST resource types define the types of objects that can be managed by delegated administrators. Typical REST resource types include users and groups which can be configured based on the sub-tree and a predefined search filter. A new include-filter property has been added to REST resource types to differentiate different resource types that are within the same subtree and have the same objectclass.
  • Delegated Admin 4.2
    • Administrative users can now create and download reports of users, group membership or other generic resource to a CSV file. The users need the proper rights for the resource types on which they wish to report. The information stored in the downloaded file will be based on the attributes configured for the resource type. For group resource types, each report generated will be for a single group.
    • Added a new reference permission to Delegated Admin resource rights configuration which allows the administrator to reference resources when selecting a parent for a new resource. This permission differs from read permission in that the app will not show an option to manage the parent resource type in the Delegated Administrator app.
    • In many circumstances, LDAP attributes within an entry contain multiple values. The application can now display multi-valued attributes which are not handled by custom UI form fields.
    • A privileged administrator for a hosting company can onboard a new tenant administrator to manage resources for the tenant's own organization without requiring additional configuration from the Administrative Console or command line.

Known Issues/Workarounds

The following are known issues in the current version of PingDirectory Delegated Admin:
  • PingDirectory Delegated Admin does not always show the account locked status correctly if the server password policy is configured to require the user to reset their password after the password has been administratively reset. This can be corrected by enabling the Password Policy State JSON virtual attribute for the user object class. For example:
    dsconfig set-virtual-attribute-prop --name "Password Policy State JSON" \
    --set enabled:true --set require-explicit-request-by-name:true \
    --set "filter:(objectClass=person)"

Resolved Issues

The following table identifies issues that have been resolved with this release of Delegated Admin:

Ticket ID Description
DS-41819 Fixed an issue where a Delegated Administrator was unable to add or remove themselves to or from a group to which they had rights to manage group membership.
DS-41848 Fixed an issue where edits modifying only the case or capitalization of an attribute value did not take effect.
DS-42387 Updated the manage-profile generate-profile subcommand to exclude files in the ldif/ and bak/ directories by default when generating a server profile. If necessary, you can manually include those directories using the --includePath argument.