To set up a reference delegated admin attribute, you must have a REST resource type defined and configured.

This example task creates a new REST resource type called Managers.

  1. To create the new REST resource type, run dsconfig with the create-rest-resource-type option.

    In the following example, the new resource type of Managers is created.

    dsconfig create-rest-resource-type \
        --type-name Managers  \
        --type user  \
        --set 'description:Rest type for users who are managers\n\It is used as reference type for the field Manager.'  \
        --set enabled:true  \
        --set resource-endpoint:managers  \
        --set structural-ldap-objectclass:inetOrgPerson  \
        --set search-base-dn:dc=example,dc=com  \
        --set "include-filter:(employeeType=manager)"  \
        --set parent-dn:ou=people,dc=example,dc=com  \
        --set create-rdn-attribute-type:uid  \
        --set display-name:Managers  \
        --set 'search-filter-pattern:(|(cn=*%%*)(mail=%%*)(uid=%%*)(sn=*%%*))'  \
        --set primary-display-attribute-type:cn
  2. To add Delegated Admin attributes for the resource type, run dsconfig with the create-delegated-admin-attribute option.

    The following example adds Delegated Admin attributes for the Managers resource type.

    dsconfig create-delegated-admin-attribute
        --type-name Managers
        --attribute-type cn
        --set "display-name:Full Name"
    
    dsconfig create-delegated-admin-attribute
        --type-name Managers
        --attribute-type uid 
        --set "display-name:Manager ID"
    
    dsconfig create-delegated-admin-attribute
        --type-name Managers
        --attribute-type mail
        --set display-name:Email
    
    dsconfig create-delegated-admin-attribute
        --type-name Managers
        --attribute-type employeeType
        --set "display-name:Employee Type (must be manager)"
    
    dsconfig create-delegated-admin-attribute
        --type-name Managers
        --attribute-type sn
        --set "display-name:Last name"
    
    dsconfig create-delegated-admin-attribute
        --type-name Managers
        --attribute-type givenName
        --set "display-name:First Name"
  3. To distinguish your resource type from other resources, run dsconfig with the create-delegated-admin-attribute.

    In the following example, Managers are distinguished from other users using the employeeType attribute.

    dsconfig create-delegated-admin-attribute
        --type-name users
        --attribute-type employeeType
        --set "display-name:Employee type (manager, other)"
        --set display-order-index:4
  4. To add Delegated Admin resource rights to your set of existing Delegated Admin rights, run dsconfig with the create-delegated-admin-resource-rights option.

    In the following example, Delegated Admins are granted reference Admin Permission for the Managers REST resource type to allow viewing access.

    dsconfig create-delegated-admin-resource-rights
        --rights-name <existing-rights-name>
        --rest-resource-type Managers
        --set enabled:true
        --set admin-permission:reference
        --set admin-scope:all-resources-in-base

    In the following example, Delegated Admins are granted read and update Admin Permissions for Managers REST resource type to allow edit access.

    dsconfig create-delegated-admin-resource-rights
        --rights-name DArights
        --rest-resource-type Managers
        --set enabled:true
        --set admin-permission:read
        --set admin-permission:update
        --set admin-scope:all-resources-in-base

After you have created and configured a new REST resource type, add a reference Delegated Admin attribute. See step 2 in Setting up a DN reference attribute.