Delegated administration is comprised of 3 main concepts
- Administrators
- Roles
- Scopes
Administrators
- Manage XA/XD Site
- Can be AD users or AD groups (users nested in groups)
Roles (what are they?)
- Are tasks admins must carry out
- Are made up of defined permissions
- Can allow management access or read only access
- Are separated by Studio Node
Scopes
- Is a range of objects a role can affect (for example Delivery Groups/Machines Catalog/Hosting Units)
- Each Role needs a scope specified
- There can be multiple role/scope pairs assigned to one admin. This enables users/groups to manage multiple objects in a Site where required.
- Actual resources that can be viewed or managed are dependent on the assigned role
Assigning Roles and Scopes
- By default, the first administrator is a Full Administrator
- Creating a new administrator will allow one to:
- Specify an AD user/group
- Select an existing or create a new scope
- Select an existing or create a new role
- New scopes can be created by selecting the „Scope” tab in the Administration entry from Studio.
- A scope can be created for the 3 following objects:
- Delivery Groups
- Machine Catalogs
- Hosting
- New Roles can be created by selecting the „Roles” tab in the Administration entry in Studio
- A role basically holds the actions that can be performed. See below for more details:
- Preconfigured roles exist with predefined scopes/functions. Role details should show what actions can be performed.
- You can also see what permissions are granted through a specific role by using the „Report” function from the right pane
- Check the below table for separated role/scopes and also granularity
Site changes
- Action is invoked thru DDC service.
- Before completing action, delegated administration service checks to confirm permissions
- Afterward, a WCF call will be made to service that has to perform the change.
- That service will make the change in Site DB
Takeaway
