Delegated Admin rights can be parameterized so that a single definition provides a pattern for new administrators.
This allows a privileged administrator for a hosting company to use Delegated Admin to onboard a new tenant administrator to manage resources for the tenant's own organization. Using parameterized rights eliminates the need for the PingDirectory server configuration changes to create a new administrator.
In the following example, it's assumed that there are three REST resource types configured:
orgs
groups
users
The users resource type has the parent resource type orgs.
$ bin/dsconfig create-delegated-admin-rights \
--rights-name "Tenant Admin" \
--set enabled:true \
--set 'admin-group-dn:cn=($1),ou=groups,dc=example,dc=com'
$ bin/dsconfig create-delegated-admin-resource-rights \
--rights-name "Tenant Admin" \
--rest-resource-type users --set enabled:true \
--set admin-permission:create \
--set admin-permission:read --set admin-permission:update \
--set 'resource-subtree:ou=($1),dc=example,dc=com'
$ bin/dsconfig create-delegated-admin-resource-rights \
--rights-name "Tenant Admin" \
--rest-resource-type orgs --set enabled:true \
--set admin-permission:reference \
--set 'resource-subtree:ou=($1),dc=example,dc=com'
A privileged admin can perform the following steps to onboard a new tenant in Delegated Admin:
- Add a new
org
for the tenant. - Add a new
group
with the same name as the neworg
, representing the tenant admins. - Add a new
user
representing an initial tenant admin. - Add the new tenant admin user to the tenant admin group
The tenant admin user can now sign on to the app and manage users for their own organization.