Ping Identity Directory Proxy Server - Delegated Administrator

Directory Proxy Server Documentation Index
Configuration Reference Home

Delegated Administrator

Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.

Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.

A Delegated Administrator gives a user, or group of users, authority to manage user accounts through the Delegated Admin API.

↓Relations to This Component
↓Properties
↓dsconfig Usage

Relations to This Component

The following components have a direct composition relation to Delegated Administrators:

Delegated Admin Resource Type

Properties

The properties supported by this managed object are as follows:

Basic Properties:	Advanced Properties:
↓ enabled	None
↓ admin-user-dn
↓ admin-group-dn
↓ admin-scope
↓ managed-subtree
↓ managed-users-in-group

Basic Properties

enabled

Description	Indicates whether the Delegated Administrator is enabled. If a Delegated Administrator is not enabled, then it is not available for authentication and authorization decisions when processing requests.
Default Value	None
Allowed Values	true false
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

admin-user-dn

Description	Specifies the DN of a administrative user who has authority to manage user accounts. Either admin-user-dn or admin-group-dn must be specified, but not both.
Default Value	None
Allowed Values	A valid DN.
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

admin-group-dn

Description	Specifies the DN of a group of administrative users who have authority to manage user accounts. Either admin-user-dn or admin-group-dn must be specified, but not both.
Default Value	None
Allowed Values	A valid DN.
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

admin-scope

Description	Specifies whether the administrator(s) can manage entries in specific subtrees within the search base, or members of specific groups, or all entries under the search base.
Default Value	manages-specific-subtrees
Allowed Values	manages-users-in-specific-groups - The administrator(s) can manage only members of specific groups, as specified by managed-users-in-group. manages-specific-subtrees - The administrator(s) can manage only entries in specific subtrees within the search base, as specified by managed-subtree. manages-all-entries - The administrator(s) can manage all entries under the search base.
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

managed-subtree

Description	Specifies subtrees within the search base whose entries can be managed by the administrator(s).
Default Value	None
Allowed Values	A valid DN.
Multi-Valued	Yes
Required	No
Admin Action Required	None. Modification requires no further action

managed-users-in-group

Description	Specifies groups whose members can be managed by the administrator(s). Only members whose entries are within the search base can be managed.
Default Value	None
Allowed Values	A valid DN.
Multi-Valued	Yes
Required	No
Admin Action Required	None. Modification requires no further action

dsconfig Usage

To list the configured Delegated Administrators:

dsconfig list-delegated-administrators
     [--property {propertyName}] ...

To view the configuration for an existing Delegated Administrator:

dsconfig get-delegated-administrator-prop
     --administrator-name {name}
     --type-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Delegated Administrator:

dsconfig set-delegated-administrator-prop
     --administrator-name {name}
     --type-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Delegated Administrator:

dsconfig create-delegated-administrator
     --administrator-name {name}
     --type-name {name}
     --set enabled:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Delegated Administrator:

dsconfig delete-delegated-administrator
     --administrator-name {name}
     --type-name {name}