Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
Delegated Admin Resource Rights give a user, or group of users, authority to manage a specific resource type through the Delegated Admin API.
↓Relations from This Component
↓Relations to This Component
↓Properties
↓dsconfig Usage
The following components have a direct aggregation relation from Delegated Admin Resource Rights:
The following components have a direct composition relation to Delegated Admin Resource Rights:
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ description | None |
| ↓ enabled | |
| ↓ rest-resource-type | |
| ↓ admin-permission | |
| ↓ admin-scope | |
| ↓ resource-subtree | |
| ↓ resources-in-group |
| Description | A description for this Delegated Admin Resource Rights |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether these Delegated Admin Resource Rights are enabled. If these Delegated Admin Resource Rights are not enabled, then they are not available for authentication and authorization decisions when processing requests. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
rest-resource-type (Read-Only)
| Description | Specifies the resource type applicable to these Delegated Admin Resource Rights. |
| Default Value | None |
| Allowed Values | The DN of any REST Resource Type. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies administrator(s) permissions. |
| Default Value | None |
| Allowed Values | create - The administrator(s) can create new resources. read - The administrator(s) can read resources. reference - The administrator(s) can reference resources from an attribute with LDAP DN syntax or when selecting a parent during creation of another resource. With reference permission only, the resource type is not otherwise surfaced in the Delegated Administrator app. update - The administrator(s) can update resources. update-profile - The administrator(s) can update non-password attributes. reset-password - The administrator(s) can set passwords and initiate password resets. delete - The administrator(s) can delete resources. manage-group-membership - The administrator(s) can manage the membership of group resources. download - The administrator(s) can download resources to a file. upload - The administrator(s) can upload resources from a file. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the scope of these Delegated Admin Resource Rights. |
| Default Value | resources-in-specific-subtrees |
| Allowed Values | resources-in-specific-groups - The administrator(s) can manage only members of specific groups, as specified by resources-in-group. resources-in-specific-subtrees - The administrator(s) can manage only entries in specific subtrees within the search base, as specified by resource-subtree. all-resources-in-base - The administrator(s) can manage all entries under the search base. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies subtrees within the search base whose entries can be managed by the administrator(s). The admin-scope must be set to resources-in-specific-subtrees. This DN may be parameterized using ($1) in place of one of the RDN component values. e.g. ou=($1),dc=example,dc=com. If a resource subtree DN is parameterized then the associated Admin Rights must have a parameterized admin group DN. |
| Default Value | None |
| Allowed Values | A valid DN. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies groups whose members can be managed by the administrator(s). The admin-scope must be set to resources-in-specific-groups. |
| Default Value | None |
| Allowed Values | A valid DN. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Delegated Admin Resource Rights:
dsconfig list-delegated-admin-resource-rights
[--property {propertyName}] ...
To view the configuration for an existing Delegated Admin Resource Rights:
dsconfig get-delegated-admin-resource-rights-prop
--rest-resource-type {name}
--rights-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Delegated Admin Resource Rights:
dsconfig set-delegated-admin-resource-rights-prop
--rest-resource-type {name}
--rights-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Delegated Admin Resource Rights:
dsconfig create-delegated-admin-resource-rights
--rest-resource-type {name}
--rights-name {name}
--set enabled:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Delegated Admin Resource Rights:
dsconfig delete-delegated-admin-resource-rights
--rest-resource-type {name}
--rights-name {name}