To use Delegated Admin, an administrator must possess more than valid credentials and an access token that PingDirectory Server can validate. He or she must possess rights that are designated through the PingDirectory Server configuration. To delegate users or groups as administrators, use the PingDirectory Server Administrator Console (Delegated Admin rights and resource rights) or the dsconfig create-delegated-admin-rights and create-delegated-admin-resource-rights commands.

Admin Permissions
create
The administrator can create new resources of this type.
read
The administrator can read resources of this type.
Note:

The create, delete, manage-group-membership, and update permissions require the read permission.

update
The administrator can edit resources of this type.
delete
The administrator can delete resources of this type.
reference

The administrator can reference resources when selecting a parent during the creation of another resource. With the reference permission specified, the administrator can use a parent REST resource type without seeing the option to manage the parent resource type. For example, if the parent type for users is Organizational Unit, the administrator can have reference rights to the Organizational Unit resource type only. The administrator can create users without seeing the Manage Organizational Unit navigation option.

The administrator can reference resource types in Delegated Admin attributes. For example, the administrator can select user entries from a list based on their DNs without displaying the actual values of the DNs.

manage-group-membership
The administrator can manage the membership of a group resource, by adding or removing members. This permission is only applicable to group resource types.
download
The administrator can download reports for resources of this type. With this permission, the Download Report button appears on the Reporting page for the administrator.
upload
The administrator can upload a CSV file to import resources of this type. With this permission, the Upload File button appears on the Reporting page for the administrator.
Note:

For the parent resource type to be available for the creation of new entries under the parent, the read or reference permission must be specified.

To prevent changes that might break the configuration of the app, the app does not allow changes to RDN attributes of a resource entry DN, for resources referenced in the Delegated Admin server configuration. This includes the following configuration elements:

  • admin-user-DN and admin-group-DN of Admin Rights
  • resource-subtree and resources-in-group of Admin Resource Rights

For example, if an Admin Rights configuration contains admin-group-DN: cn=Admin Group,dc=example,dc=com and some administrator has rights to modify that particular group through the app, then the cn attribute of that group cannot be changed without invalidating the configuration. The attribute label will have a lock icon and a message indicating that the value can only be changed by a server administrator.

The example commands in this section illustrate the configuration options for delegated administration and are performed on PingDirectory Server.

Note: Administrators who manage only specific subtrees cannot create users in an organization that does not reside under, or at the same level as, one of the subtrees.
  • The following commands restrict an administrator to manage users in specified subtrees:
    $ bin/dsconfig create-delegated-admin-rights \
      --rights-name admin1 \
      --set "admin-user-dn:uid=admin1,ou=people,dc=example,dc=com"
      --set enabled:true
      
    $ bin/dsconfig create-delegated-admin-resource-rights \
      --rights-name admin1 \
      --rest-resource-type users \
      --set admin-scope:resources-in-specific-subtrees \
      --set "resource-subtree:ou=org1,dc=example,dc=com" \
      --set admin-permission:create \
      --set admin-permission:read \
      --set admin-permission:update \
      --set admin-permission:delete \
      --set enabled:true
  • An administrator can be restricted to managing the member users of one or more specified groups. In the following example, we assume the existence of a static or dynamic group entry whose members include the users to be managed:
    $ bin/dsconfig create-delegated-admin-rights \
      --rights-name admin1 \
      --set "admin-user-dn:uid=admin1,ou=people,dc=example,dc=com"
      --set enabled:true
    $ bin/dsconfig create-delegated-admin-resource-rights \
      --rights-name admin1 \
      --rest-resource-type users \
      --set admin-scope:resources-in-specific-groups \
      --set "resources-in-group:cn=User Group,dc=example,dc=com" \
      --set admin-permission:read \
      --set admin-permission:update \
      --set enabled:true
  • The Delegated admin must also have rights to a group REST resource type that matches the specified group. For more information, see Manage groups.
  • Rather than delegate a single user as an administrator, you might find it more convenient to delegate an entire group of users as administrators, as follows:
    $ bin/dsconfig create-delegated-admin-rights \
      --rights-name admin-group1 \
      --set "admin-group-dn:cn=Admin Group,ou=people,dc=example,dc=com"
      --set enabled:true
    
    $ bin/dsconfig create-delegated-admin-resource-rights \
      --rights-name admin-group1 \
      --rest-resource-type users \
      --set admin-scope:all-resources-in-base \
      --set admin-permission:create \
      --set admin-permission:read \
      --set admin-permission:update \
      --set admin-permission:delete \
      --set enabled:true
    In this example, groups can be configured to manage specific subtrees or groups with the resources-in-specific-subtrees or resources-in-group setting for the admin-scope. For more information about PingDirectory Server administrators and configuring dynamic and static groups, refer to the PingDirectory Server Administration Guide.