Delegated administration and monitoring
Delegated administration uses three concepts: administrators, roles, and scopes. Permissions are based on an administrator’s role and the scope of this role. For example, an administrator might be assigned a Help Desk administrator role where the scope involves responsibility for end-users at one site only.
Administrative permissions determine the monitoring interface presented to administrators and the tasks they can perform. Permissions determine:
- The views the administrator can access, collectively referred to as a view.
- The desktops, machines, and sessions that the administrator can view and interact with.
- The commands the administrator can perform, such as shadowing a user’s session or enabling maintenance mode.
Monitoring now supports delegated administrator roles that allow you to assign custom defined or built-in roles to administrators. The role determines the available permissions and hence, how an administrator uses monitoring. You can also define the scope applicable for those roles. The scope defines the objects for which the role is applicable.
For information about creating delegated administrators, see the main Delegated administration article.
The built-in roles and permissions determine how administrators use Monitor:
|Administrator Role||Permissions in Monitor|
|Full Administrator||Full access to all views and can perform all commands, including shadowing a user’s session, enabling maintenance mode, and exporting trends data.|
|Delivery group Administrator||Full access to all views and can perform all commands, including shadowing a user’s session, enabling maintenance mode, and exporting trends data.|
|Read Only Administrator||Can access all views and see all objects in specified scopes in addition to global information. Can download reports from HDX channels and can export Trends data using the Export option in the Trends view. Cannot perform any other commands or change anything in the views.|
|Help Desk Administrator||Can access only the Help Desk and User Details views and can view only objects that the administrator is delegated to manage. Can shadow a user’s session and perform commands for that user. Can perform maintenance mode operations. Can use power control options for Single session OS Machines. Cannot access the Dashboard, Trends, Alerts, or Filters views. Cannot use power control options for Multi-session OS machines.|
|Machine catalog Administrator||Can access only the Machine Details page (Machine-based search).|
|Host Administrator||No access. This administrator is not supported for Monitor and cannot view data.|
|Probe Agent Administrator||Read-only access to Applications page, cannot access any other view. Meant to run the Citrix Probe Agent on endpoint machines.|
|Monitoring Full Administrator||Has full access to all views and commands in the Monitor tab.|
|Session Administrator||Can view Delivery Groups and manage their associated sessions and machines on the Filters page of the Monitor tab.|
To assign a role (built-in or custom) to a user, from the Citrix Cloud menu, go to Identity and Access Management > Administrators. Here, when you add or edit the access of an administrator, you can select Custom Access and one of the listed roles.
You can define custom roles and scopes in Full Configuration > Administrators > Administrators.
The built-in roles and custom roles are listed for selection with custom scope.