To use Delegated Admin, an administrator must possess more than valid credentials and an access token that PingDirectory Server can validate. He or she must possess rights that are designated through the PingDirectory Server configuration. To delegate users or groups as administrators, use the PingDirectory Server Administrator Console (Delegated Admin rights and resource rights) or the dsconfig create-delegated-admin-rights and create-delegated-admin-resource-rights commands.
- Admin Permissions
- create
- The administrator can create new resources of this type.
- read
- The administrator can read resources of this type. Note:
The create, delete, manage-group-membership, and update permissions require the read permission.
- update
- The administrator can edit resources of this type.
- delete
- The administrator can delete resources of this type.
- reference
-
The administrator can reference resources when selecting a parent during the creation of another resource. With the reference permission specified, the administrator can use a parent REST resource type without seeing the option to manage the parent resource type. For example, if the parent type for users is Organizational Unit, the administrator can have reference rights to the Organizational Unit resource type only. The administrator can create users without seeing the Manage Organizational Unit navigation option.
The administrator can reference resource types in Delegated Admin attributes. For example, the administrator can select user entries from a list based on their DNs without displaying the actual values of the DNs.
- manage-group-membership
- The administrator can manage the membership of a group resource, by adding or removing members. This permission is only applicable to group resource types.
- download
- The administrator can download reports for resources of this type. With this permission, the Download Report button appears on the Reporting page for the administrator.
- upload
- The administrator can upload a CSV file to import resources of this type. With this permission, the Upload File button appears on the Reporting page for the administrator.
For the parent resource type to be available for the creation of new entries under the parent, the read or reference permission must be specified.
To prevent changes that might break the configuration of the app, the app does not allow changes to RDN attributes of a resource entry DN, for resources referenced in the Delegated Admin server configuration. This includes the following configuration elements:
admin-user-DN
andadmin-group-DN
of Admin Rightsresource-subtree
andresources-in-group
of Admin Resource Rights
For example, if an Admin Rights configuration contains admin-group-DN: cn=Admin
Group,dc=example,dc=com
and some administrator has rights to modify that
particular group through the app, then the cn
attribute of that group
cannot be changed without invalidating the configuration. The attribute label will have
a lock icon and a message indicating that the value can only be changed by a server
administrator.
The example commands in this section illustrate the configuration options for delegated administration and are performed on PingDirectory Server.