Delegated Administration

Overview

With Delegated Administration in Citrix Cloud, you can configure the access permissions that all of your administrators need, in accordance with their role in your organization.

By default, administrators have full access. This setting enables access to all available customer administration and management functions in Citrix Cloud, plus all subscribed services. To tailor an administrator’s access:

  • Configure custom access for an administrator’s general management permissions in Citrix Cloud.
  • Configure custom access for subscribed services. In the Citrix Virtual Apps and Desktops service, you can configure custom access when you invite a new administrator. You can change an administrator’s access later.

Details about displaying the list of administrators and defining access permissions are available in Add administrators to a Citrix Cloud account.

This article describes how to configure custom access in the Citrix Virtual Apps and Desktops service.

Administrators, roles, and scopes

Delegated Administration uses three concepts for custom access: administrators, roles, and scopes.

  • Administrators: An administrator represents a person identified by their Citrix Cloud sign-in, which is typically an email address. Each administrator is associated with one or more role and scope pairs.
  • Roles: A role represents a job function, and has permissions associated with it. These permissions allow certain tasks that are unique to the service. For example, the Delivery Group Administrator role has permission to create a Delivery Group and remove a desktop from a Delivery Group, plus other associated permissions. An administrator can have multiple roles. An administrator might be a Delivery Group Administrator and a Machine Catalog Administrator.

    The service offers several built-in custom access roles. You cannot change the permissions within these built-in roles, or delete those roles.

    You can create your own custom access roles to meet your organization’s requirements, and delegate permissions with more detail. Use custom roles to allocate permissions at the granularity of an action or task. You can delete a customized role only if it is not assigned to an administrator.

    You can change which roles an administrator has.

    A role is always paired with a scope.

  • Scopes: A scope represents a collection of objects. Scopes are used to group objects in a way that is relevant to your organization. Objects can be in more than one scope.

    There is one built-in scope: All, which contains all objects. Citrix Cloud and Help Desk administrators are always paired with the All scope. That scope cannot be changed for those administrators.

    When you invite (add) an administrator for this service, a role is always paired with a scope (by default, the All scope).

    You create and delete scopes in the service’s Manage console. You assign role/scope pairs in the Citrix Cloud console.

    A scope is not shown for Full access administrators. By definition, those administrators have access to all customer-managed Citrix Cloud and subscribed services objects.

Built-in roles and scopes

The service has the following built-in roles.

  • Cloud Administrator: Can perform all tasks that can be initiated from the service.

    Can see the Manage and Monitor tabs in the console. This role is always combined with the All scope, you cannot change the scope.

    Do not be confused by this role’s name. A custom access Cloud Administrator cannot perform Citrix Cloud-level tasks (Citrix Cloud tasks require Full access).

  • Read Only Administrator: Can see all objects in the specified scopes (in addition to global information), but cannot change anything. For example, a Read Only Administrator with Scope=London can see all global objects and any London-scoped objects (for example, London Delivery Groups). However, that administrator cannot see objects in the New York scope (assuming that the London and New York scopes do not overlap).

    Can see the Manage tab in the console, cannot see the Monitor tab. You can change the scope.

  • Help Desk Administrator: Can view Delivery Groups, and manage the sessions and machines associated with those groups. Can see the machine catalog and host information for the Delivery Groups being monitored. Can also perform session management and machine power management operations for the machines in those Delivery Groups.

    Can see the Monitor tab in the console, cannot see the Manage tab. This role is always combined with the All scope, you cannot change the scope.

  • Machine Catalog Administrator: Can create and manage machine catalogs and provision the machines into them. Can manage base images and install software, but cannot assign applications or desktops to users.

    Can see the Manage tab in the console, cannot see the Monitor tab. You can change the scope.

  • Delivery Group Administrator: Can deliver applications, desktops, and machines. Can also manage the associated sessions. Can manage application and desktop configurations such as policies and power management settings.

    Can see the Manage tab in the console, cannot see the Monitor tab. You can change the scope.

  • Host Administrator: Can manage host connections and their associated resource settings. Cannot deliver machines, applications, or desktops to users.

    Can see the Manage tab in the console, cannot see the Monitor tab. You can change the scope.

The following table summarizes which console tabs are visible for each custom access role in the service, and whether the role can be used with custom scopes.

Custom access administrator role Can see Manage tab in console? Can see Monitor tab in console? Can role be used with custom scopes?
Cloud Administrator Yes Yes No
Read Only Administrator Yes No Yes
Help Desk Administrator No Yes No
Machine Catalog Administrator Yes No Yes
Delivery Group Administrator Yes No Yes
Host Administrator Yes No Yes

To view the permissions associated with a role:

  1. Sign in to Citrix Cloud if you haven’t already. Select My Services > Virtual Apps and Desktops in the upper left menu. Select the Manage tab.
  2. Click Configuration > Administrators in the navigation pane and then click the Roles tab.
  3. Select a role in the upper middle pane. The Role definition tab in the lower pane lists the categories and permissions. Select a category to see the specific permissions. The Administrators tab lists the administrators who have been assigned the selected role.

    Known issue: A Full Administrator entry in the Manage console does not display the correct set of permissions for a full access service administrator.

How many administrators you need

The number of administrators and the granularity of their permissions generally depend on the size and complexity of the deployment.

  • In small or proof of concept deployments, one or a few administrators do everything. There is no custom access delegation. In this case, each administrator has Full access, which always has the All scope.
  • In larger deployments with more machines, applications, and desktops, more delegation is needed. Several administrators might have more specific functional responsibilities (roles). For example, two have Full access, and others are Help Desk Administrators. Also, an administrator might manage only certain groups of objects (scopes), such as machine catalogs in a particular department. In this case, create new scopes, plus administrators with the appropriate custom access role and scopes.

Administrator management summary

Setting up administrators for the service follows this sequence:

  1. If you want the new administrator to have a role other than a Full administrator (which covers all subscribed services in Citrix Cloud) or a built-in role, create a custom role.
  2. If you want the new administrator to have a scope other than All (and a different scope is allowed for the intended role, and has not already been created), create scopes.
  3. From Citrix Cloud, invite an administrator. If you want the new administrator to have anything other than the default Full access, specify a custom access role and scope pair.

Later, if you want to change an administrator’s access (roles and scope), see Configure custom access.

Invite an administrator

Adding administrators follows the guidance detailed in Add administrators to a Citrix Cloud account. A subset of that information is repeated here.

Important:

Do not confuse how “custom” and “custom access” are used.

  • When creating administrators and assigning roles for the service in the Citrix Cloud console, the term “custom access” includes both the built-in roles and any additional custom roles that were created in the service’s Manage console.
  • In the service’s Manage console, “custom” simply differentiates that role from a built-in role.

To add and invite an administrator:

  1. After signing in to Citrix Cloud, select Identity and Access Management in the upper left menu.

  2. On the Identity and Access Management page, click Administrators. The display lists the current administrators in the account.
  3. Click Add administrators from, and then select your authentication method. Enter the person’s email address. Optionally, select a role and scope pair.

    If you do not select a custom access role and scope pair, the new administrator is assigned full access by default. That setting includes access to all customer administrator functions in Citrix Cloud and in all subscribed services.

    If you want that administrator to have more limited access, select a custom access role and scope pair. In that way, new administrators have the intended permissions when they sign in to Citrix Cloud for the first time.

  4. Click Invite. Citrix Cloud sends an invitation to the email address you specified and adds the administrator to the list.

    When the administrator receives the email, they click the Join link to accept the invitation.

Create and manage roles

When administrators create or edit a role, they can enable only the permissions that they themselves have. This prevents administrators from creating a role with more permissions than they currently have and then assigning it to themselves (or editing a role that they are already assigned).

Custom role names can contain up to 64 Unicode characters. They cannot contain: backslash, forward slash, semicolon, colon, pound sign, comma, asterisk, question mark, equal sign, left arrow, right arrow, pipe, left or right bracket, left or right parenthesis, quotation marks, and apostrophe.

Role descriptions can contain up to 256 Unicode characters.

  1. Sign in to Citrix Cloud if you haven’t already. Select My Services > Virtual Apps and Desktops in the upper left menu. Select the Manage tab.
  2. Click Configuration > Administrators in the navigation pane, and then click the Roles tab in the upper middle pane.
  3. Follow the instructions for the task you want to complete:

    • View role details: Select the role in the middle pane. The lower portion of the middle pane lists the object types and associated permissions for the role. Click the Administrators tab in the lower pane to display a list of administrators who currently have this role.
    • Create a custom role: Click Create new Role in the Actions pane. Enter a name and description. Select the object types and permissions. When you’re done, click Save.

      Create new role dialog box

    • Copy a role: Select the role in the middle pane and then click Copy Role in the Actions pane. Change the name, description, object types, and permissions, as needed. When you’re done, click Save.
    • Edit a custom role: Select the role in the middle pane and then click Edit Role in the Actions pane. Change the name, description, object types, and permissions, as needed. You cannot edit a built-in role. When you’re done, click Save.
    • Delete a custom role: Select the role in the middle pane and then click Delete Role in the Actions pane. When prompted, confirm the deletion. You cannot delete a built-in role. You cannot delete a custom role if it is assigned to an administrator.

Create and manage scopes

By default, all roles have the All scope for their relevant objects. For example, a Delivery Group Administrator can manage all Delivery Groups. For some administrator roles, you can create a scope that allows that administrator role to access a subset of the relevant objects. For example, you might want a give a Machine Catalog Administrator access to only catalogs that contain a certain type of machines, rather than all catalogs.

  • Full access administrators or custom access Cloud Administrators can create scopes for the Read Only Administrator, Machine Catalog Administrator, Delivery Group Administrator, and Host Administrator roles.
  • Scopes cannot be created for Full access administrators, nor can they be created for Cloud Administrators or Help Desk Administrators, because those administrators always have the All scope.

Rules for creating and managing scopes:

  • Scope names can contain up to 64 Unicode characters. Scope names cannot include: backslash, forward slash, semicolon, colon, pound sign, comma, asterisk, question mark, equal sign, left or right arrow, pipe, left or right bracket, left or right parenthesis, quotation marks, and apostrophe.
  • Scope descriptions can contain up to 256 Unicode characters.
  • When you copy or edit a scope, keep in mind that removing objects from the scope can make those objects inaccessible to an administrator. If the edited scope is paired with one or more roles, ensure that your scope updates do not make any role/scope pair unusable.

To create and manage scopes:

  1. Sign in to Citrix Cloud if you haven’t already. Select My Services > Virtual Apps and Desktops in the upper left menu. Select the Manage tab.
  2. Click Configuration > Administrators in the navigation pane and then click the Scopes tab in upper middle pane.
  3. Follow the instructions for the task you want to complete:

    • View scope details: Select the role in the middle pane. The lower portion of the middle pane lists the object types and associated permissions for the role. Click the Administrators tab in the lower pane to display a list of administrators who currently have this role.
    • Create a scope: Click Create Scope in the Actions pane. Enter a name and description. The objects are listed by type, such as Delivery Group and Machine Catalog.
      • To include all objects of a particular type (for example, all Delivery Groups), select the check box for the object type.
      • To include individual objects within a type, expand the type and then select the check boxes for the objects (for example, specific Delivery Groups).

      When you’re done, click Save.

      Create Scope dialog box

    • Copy a scope: Select the scope in the middle pane and then click Copy Scope in the Actions pane. Change the name, description. Change the object types and objects, as needed. When you’re done, click Save.
    • Edit a scope: Select the scope in the middle pane and then click Edit Scope in the Actions pane. Change the name, description, object types, and objects, as needed. When you’re done, click Save.
    • Delete a scope: Select the scope in the middle pane and then click Delete Scope in the Actions pane. When prompted, confirm the deletion.

      You cannot delete a scope if it is assigned to a role. If you attempt to do this, an error message indicates that you do not have permission. In fact, the error occurs because the role/scope pair that uses this scope is assigned to an administrator. First, remove the role/scope pair assignment for all administrators who use it. Then delete the scope in the Manage console.

After you create a scope, it appears in the Custom access list in the Citrix Cloud console, paired with its appropriate role. You can then assign it to an administrator.

For example, let’s say you create a scope named CAD, and select the machine catalogs that contain machines suitable for CAD applications. When you return to the Citrix Cloud console, the list of service-level custom access role/scope pairs now has new entries (shown in bold):

  • Cloud Administrator,All
  • Delivery Group Administrator,All
  • Delivery Group Administrator,CAD
  • Help Desk Administrator,All
  • Host Administrator,All
  • Host Administrator,CAD
  • Machine Catalog Administrator,All
  • Machine Catalog Administrator,CAD
  • Read Only,All
  • Read Only,CAD

The Cloud Administrator and Help Desk Administrator always have the All scope, so the CAD scope does not apply to them.

Configure custom access for an administrator

By default, when you invite administrators, they have Full access.

Remember: Full access allows the administrator to manage all subscribed services plus customer administrator Citrix Cloud operations (such as inviting more administrators). A Citrix Cloud deployment needs at least one administrator with Full access.

To configure custom access for an administrator:

  1. Sign in to Citrix Cloud if you haven’t already. Select Identity and Access Management > Administrators in the upper left menu.
  2. Locate the administrator you want to manage, click the ellipsis menu, and select Edit access.
  3. Select Custom access. To configure service-specific custom access, under Virtual Apps and Desktops, select or clear the check marks next to one or more role and scope pairs in the Custom access list.

    If you have not created any scopes and assigned them to a role, every role in the Custom access list has the All scope. For example, the role/scope entry Delivery Group Administrator,All indicates that role has the All scope.

    When you create a role or scope, it appears in the custom access list for the service and can be selected. For example, if you created a scope named Catalog1, the Custom access list includes a Machine Catalog Administrator,Catalog1 entry, in addition to the default Machine Catalog Administrator,All entry.

  4. If the administrator you’re editing already has custom access and you want to give that administrator full access, select Full access.
  5. When you’re done, click Save.

The following screenshot shows the full access and the custom access built-in administrator roles.

Custom access display

Differences from on-premises Citrix Virtual Apps and Desktops

If you’re familiar with Delegated Administration in the on-premises Citrix Virtual Apps and Desktops version, the service version has several differences.

In Citrix Cloud:

  • Administrators are identified by their Citrix Cloud login, rather than their Active Directory account. You can create role/scope pairs for Active Directory individuals, but not groups.
  • Administrators are created, configured, and deleted in the Citrix Cloud console, rather than the service’s Manage console (Studio).
  • Role/scope pairs are assigned to administrators in the Citrix Cloud console, rather than the service’s Manage console (Studio).
  • Reports are not available. You can view administrator, role, and scope information in the Manage console.
  • The custom access Cloud Administrator is similar to a Full Administrator in the on-premises version. Both have full management and monitoring permissions for the Citrix Virtual Apps and Desktops version being used. However, in the service, there is no named Full Administrator role. Do not equate “Full access” in Citrix Cloud with the “Full administrator” in on-premises Citrix Virtual Apps and Desktops. Full access in Citrix Cloud spans the platform-level domains, library, notifications, and resource locations, plus all subscribed services.

Differences from earlier service releases

Before the release of the expanded custom access feature (September 2018), there were two custom access administrator roles: Full Administrator and Help Desk Administrator. When your deployment has Delegated Administration enabled (which is a platform setting), those roles are mapped automatically.

  • An administrator who was formerly configured as a custom access Virtual Apps and Desktops (or XenApp and XenDesktop) Service: Full Administrator is now a custom access Cloud Administrator.
  • An administrator who was formerly configured as a custom access Virtual Apps and Desktops (or XenApp and XenDesktop) Service: Help Desk Administrator is now a custom access Help Desk Administrator.

More information

See Delegated Administration and Monitoring for information about administrators, roles, and scopes used in the service’s Monitor console.