Delegated Administration

Overview

With Delegated Administration in Citrix Cloud, you can configure the access permissions that all of your administrators need, in accordance with their role in your organization.

By default, administrators have full access. This enables access to all available customer administration and management functions in Citrix Cloud, plus all of the subscribed services. To tailor an administrator’s access:

  • Configure custom access for an administrator’s general management permissions in Citrix Cloud.
  • Configure custom access for subscribed services. In the Citrix Virtual Apps and Desktops service, you can configure custom access when you invite a new administrator. You can change an administrator’s access later.

Details about displaying the list of administrators and defining access permissions are available in Add administrators to a Citrix Cloud account.

This article describes how to configure custom access in the Citrix Virtual Apps and Desktops service.

Administrators, roles, and scopes

Delegated Administration uses three concepts for custom access: administrators, roles, and scopes.

  • Administrators: An administrator represents a person identified by their Citrix Cloud sign-in, which is typically an email address. Each administrator is associated with one or more role and scope pairs.
  • Roles: A role represents a job function, and has permissions associated with it. These permissions allow certain tasks that are unique to the service. For example, the Delivery Group Administrator role has permission to create a Delivery Group and remove a desktop from a Delivery Group, plus other associated permissions. An administrator can have multiple roles. An administrator might be a Delivery Group Administrator and a Machine Catalog Administrator.

    The service offers several built-in custom access roles. (You cannot create other custom access roles.) You cannot change the permissions within these built-in custom access roles, or delete those roles. You can change which roles an administrator has.

    A role is always paired with a scope.

  • Scopes: A scope represents a collection of objects. Scopes are used to group objects in a way that is relevant to your organization. Objects can be in more than one scope.

    There is one built-in scope: All, which contains all objects. Citrix Cloud and Help Desk administrators are always paired with the All scope. That scope cannot be changed for those administrators.

    When you invite (add) an administrator for this service, a role is always paired with a scope (by default, the All scope).

    You create and delete scopes in the Studio console. You assign role/scope pairs in the Citrix Cloud console.

    A scope is not shown for Full access administrators. By definition, those administrators have access to all customer-managed Citrix Cloud and subscribed services objects.

Built-in custom access roles and scopes

The service has the following built-in custom access roles.

  • Cloud Administrator: Can perform all tasks that can be initiated from the service.

    Can see the Manage and Monitor tabs in the console. This role is always combined with the All scope, you cannot change the scope.

    Do not be confused by this role’s name. A custom access Cloud Administrator cannot perform Citrix Cloud-level tasks (Citrix Cloud tasks require Full access).

  • Read Only Administrator: Can see all objects in the specified scopes (in addition to global information), but cannot change anything. For example, a Read Only Administrator with Scope=London can see all global objects and any London-scoped objects (for example, London Delivery Groups). However, that administrator cannot see objects in the New York scope (assuming that the London and New York scopes do not overlap).

    Can see the Manage tab in the console, cannot see the Monitor tab. You can change the scope.

  • Help Desk Administrator: Can view Delivery Groups, and manage the sessions and machines associated with those groups. Can see the machine catalog and host information for the Delivery Groups being monitored. Can also perform session management and machine power management operations for the machines in those Delivery Groups.

    Can see the Monitor tab in the console, cannot see the Manage tab. This role is always combined with the All scope, you cannot change the scope.

  • Machine Catalog Administrator: Can create and manage machine catalogs and provision the machines into them. Can manage base images and install software, but cannot assign applications or desktops to users.

    Can see the Manage tab in the console, cannot see the Monitor tab. You can change the scope.

  • Delivery Group Administrator: Can deliver applications, desktops, and machines. Can also manage the associated sessions. Can manage application and desktop configurations such as policies and power management settings.

    Can see the Manage tab in the console, cannot see the Monitor tab. You can change the scope.

  • Host Administrator: Can manage host connections and their associated resource settings. Cannot deliver machines, applications, or desktops to users.

    Can see the Manage tab in the console, cannot see the Monitor tab. You can change the scope.

The following table summarizes which console tabs are visible for each custom access role in the service, and whether the role can be used with custom scopes.

Custom access administrator role Can see Manage tab in console? Can see Monitor tab in console? Can role be used with custom scopes?
Cloud Administrator Yes Yes No
Read Only Administrator Yes No Yes
Help Desk Administrator No Yes No
Machine Catalog Administrator Yes No Yes
Delivery Group Administrator Yes No Yes
Host Administrator Yes No Yes

To view the permissions associated with a role:

  1. Sign in to Citrix Cloud if you haven’t already. Select My Services > Virtual Apps and Desktops in the upper left menu. Select the Manage tab.
  2. Click Configuration > Administrators in the Studio navigation pane and then click the Roles tab.
  3. Select a role in the upper middle pane. The Role definition tab in the lower pane lists the categories and permissions. Select a category to see the specific permissions. The Administrators tab lists the administrators who have been assigned the role selected above.

    Known issue: A Full Administrator entry in Studio does not display the correct set of permissions for a full access service administrator.

How many administrators you need

The number of administrators and the granularity of their permissions generally depend on the size and complexity of the deployment.

  • In small or proof of concept deployments, one or a few administrators do everything, and there is no custom access delegation. In this case, each administrator has Full access, which always has the All scope.
  • In larger deployments with more machines, applications, and desktops, more delegation is needed. Several administrators might have more specific functional responsibilities (roles). For example, two have Full access, and others are Help Desk Administrators. Additionally, an administrator might manage only certain groups of objects (scopes), such as machine catalogs in a particular department. In this case, create new scopes, plus administrators with the appropriate custom access role and scopes.

Administrator management summary

Setting up additional administrators for the service follows this sequence:

  1. If you want the new administrator to have a scope other than All (and a different scope is allowed for the intended role, and has not already been created), create scopes in Studio.
  2. From Citrix Cloud, invite an administrator. If you want the new administrator to have anything other than the default Full access, specify a custom role and scope pair.

Later, if you want to change an administrator’s access, see Configure custom access.

Invite an administrator

Adding administrators follows the guidance detailed in Add administrators to a Citrix Cloud account. A subset of that information is repeated here.

  1. After signing in to Citrix Cloud, select Identity and Access Management in the upper left menu.

  2. On the Identity and Access Management page, click Administrators. The display lists the current administrators in the account.
  3. Click Add administrators from, and then select your authentication method. Enter the person’s email address. Optionally, select a role and scope pair.

    If you do not select a custom role and scope pair, the new administrator is assigned full access by default. That access includes access to all customer administrator functions in Citrix Cloud and in all subscribed services.

    If you want that administrator to have more limited access, select one of the custom access role and scope pairs. In that way, new administrators have the intended permissions when they sign in to Citrix Cloud for the first time.

  4. Click Invite. Citrix Cloud sends an invitation to the email address you specified and adds the administrator to the list.

    When the administrator receives the email, they click the Join link to accept the invitation.

Create scopes

By default, all roles have the All scope for their relevant objects. For example, a Delivery Group Administrator can manage all Delivery Groups. For some administrator roles, you can create a scope that allows that administrator role to access a subset of the relevant objects. For example, you might want a give a Machine Catalog Administrator access to only catalogs that contain a certain type of machines, rather than all catalogs.

  • Full access administrators or custom access Cloud Administrators can create scopes for the Read Only Administrator, Machine Catalog Administrator, Delivery Group Administrator, and Host Administrator roles.
  • Scopes cannot be created for Full access administrators, nor can they be created for Cloud Administrators or Help Desk Administrators, because those administrators always have the All scope.

Rules for creating and managing scopes:

  • Scope names can contain up to 64 Unicode characters. Scope names cannot include: backslash, forward slash, semicolon, colon, pound sign, comma, asterisk, question mark, equal sign, left or right arrow, pipe, left or right bracket, left or right parenthesis, quotation marks, and apostrophe.
  • Scope descriptions can contain up to 256 Unicode characters.
  • When you copy or edit a scope, keep in mind that removing objects from the scope can make those objects inaccessible to an administrator. If the edited scope is paired with one or more roles, ensure that your scope updates do not make any role/scope pair unusable.

To create a scope:

  1. Sign in to Citrix Cloud if you haven’t already. Select My Services > Virtual Apps and Desktops in the upper left menu. Select the Manage tab.
  2. Click Configuration > Administrators in the Studio navigation pane and then click the Scopes tab.
  3. Click Create Scope in the Actions pane. Enter a name and description. The objects are listed by type, such as Delivery Group and Machine Catalog.

    • To include all objects of a particular type (for example, all Delivery Groups), select the check box for the object type.

    • To include individual objects within a type, expand the type and then select the check boxes for the objects (for example, specific Delivery Groups).

  4. When done, click Save.

    Create Scope dialog box

After you create a scope in Studio, it appears in the Custom access list in the Citrix Cloud console, paired with its appropriate role. You can then assign it to an administrator.

For example, let’s say you create a scope in Studio named CAD, and select the machine catalogs that contain machines suitable for CAD applications. When you return to the Citrix Cloud console, the list of service-level custom access role/scope pairs now has new entries (shown below in bold):

  • Cloud Administrator,All
  • Delivery Group Administrator,All
  • Delivery Group Administrator,CAD
  • Help Desk Administrator,All
  • Host Administrator Administrator,All
  • Host Administrator,CAD
  • Machine Catalog Administrator,All
  • Machine Catalog Administrator,CAD
  • Read Only,All
  • Read Only,CAD

The Cloud Administrator and Help Desk Administrator always have the All scope, so the CAD scope does not apply to them.

Manage scopes

After you create a scope, you can copy, edit, or delete it from Studio.

Click Configuration > Administrators in the Studio navigation pane, and then click the Scopes tab.

  • Copy a scope: Select the scope in the middle pane and then click Copy Scope in the Actions pane. Enter a name and description. Change the object types and objects, as needed.
  • Edit a scope: Select the scope in the middle pane and then click Edit Scope in the Actions pane. Change the name, description, object types, and objects, as needed.
  • Delete a scope: Select the scope in the middle pane and then click Delete Scope in the Actions pane. When prompted, confirm the deletion. You cannot delete a scope if it is assigned to a role. If you attempt to do this, an error message indicates that you do not have permission. In fact, the error occurs because the role/scope pair that uses this scope is assigned to an administrator. You must first remove the role/scope pair assignment for all administrators who use it. Then you can delete the scope in Studio.

Configure custom access for an administrator

By default, when you invite administrators, they have Full access.

Remember: Full access allows the administrator to manage all subscribed services plus customer administrator Citrix Cloud operations (such as inviting additional administrators). A Citrix Cloud deployment needs at least one administrator with Full access.

To configure custom access for an administrator:

  1. Sign in to Citrix Cloud if you haven’t already. Select Identity and Access Management > Administrators in the upper left menu.
  2. Locate the administrator you want to manage, click the ellipsis menu, and select Edit access.
  3. Select Custom access. To configure service-specific custom access, under Virtual Apps and Desktops, select or clear the check marks next to one or more role and scope pairs in the Custom access list.

    If you have not created any scopes in Studio and assigned them to a role, every role in the Custom access list has the All scope. For example, the role/scope entry Delivery Group Administrator, All indicates that role has the All scope.

    If you have created a scope in Studio, it appears in the custom access list for the service and can be selected. For example, if you created a scope named Catalog1, the Custom access list includes a Machine Catalog Administrator, Catalog1 entry, in addition to the default Machine Catalog Administrator,All entry.

  4. If the administrator you’re editing already has custom access and you want to give that administrator full access, select Full access.
  5. When you’re done, click Save.

The following screenshot shows the full access and the custom access built-in administrator roles.

Custom access display

Differences from on-premises Citrix Virtual Apps and Desktops

If you’re familiar with Delegated Administration in the on-premises Citrix Virtual Apps and Desktops version, the service version has several differences.

In Citrix Cloud:

  • Administrators are identified by their Citrix Cloud login, rather than their Active Directory account. You can create role/scope pairs for Active Directory individuals, but not groups.
  • Administrators are created, configured, and deleted in the Citrix Cloud console, rather than Studio.
  • Role/scope pairs are assigned to administrators in the Citrix Cloud console, rather than Studio.
  • Custom roles are not available. (Do not confuse “custom access” with the ability to create custom roles in the on-premises version.)
  • Reports are not available. You can view administrator, role, and scope information in Studio.
  • The custom access Cloud Administrator is similar to a Full Administrator in the on-premises version. Both have full management and monitoring permissions for the Citrix Virtual Apps and Desktops version being used. However, in the service, there is no named Full Administrator role. Do not equate “Full access” in Citrix Cloud with the “Full administrator” in on-premises Citrix Virtual Apps and Desktops. Full access in Citrix Cloud spans the platform-level domains, library, notifications, and resource locations, plus all of the subscribed services.

Differences from earlier service releases

Before the release of the expanded custom access functionality in the service (September 2018), there were two custom access administrator roles: Full Administrator and Help Desk Administrator. When your deployment has Delegated Administration enabled (which is a platform-level setting), those roles are mapped automatically.

  • An administrator who was formerly configured as a custom access Virtual Apps and Desktops (or XenApp and XenDesktop) Service: Full Administrator is now a custom access Cloud Administrator.
  • An administrator who was formerly configured as a custom access Virtual Apps and Desktops (or XenApp and XenDesktop) Service: Help Desk Administrator is now a custom access Help Desk Administrator.