The Delegated Administration model offers the flexibility to match how your organization wants to delegate administration activities, using role and object-based control. Delegated Administration accommodates deployments of all sizes, and allows you to configure more permission granularity as your deployment grows in complexity. Delegated Administration uses three concepts: administrators, roles, and scopes.
Administrators: An administrator represents an individual person or a group of people identified by their Active Directory account. Each administrator is associated with one or more role and scope pairs.
Roles: A role represents a job function, and has defined permissions associated with it. For example, the Delivery Group Administrator role has permissions such as ‘Create Delivery Group’ and ‘Remove Desktop from Delivery Group.’ An administrator can have multiple roles for a Site, so a person can be a Delivery Group Administrator and a Machine Catalog Administrator. Roles can be built-in or custom.
The built-in roles are:
Role Permissions Full Administrator Can perform all tasks and operations. A Full Administrator is always combined with the All scope. Read Only Administrator Can see all objects in specified scopes in addition to global information, but cannot change anything. For example, a Read Only Administrator with Scope=London can see all global objects (such as Configuration Logging) and any London-scoped objects (for example, London Delivery Groups). However, that administrator cannot see objects in the New York scope (assuming that the London and New York scopes do not overlap). Help Desk Administrator Can view Delivery Groups, and manage the sessions and machines associated with those groups. Can see the Machine Catalog and host information for the Delivery Groups being monitored. Can also perform session management and machine power management operations for the machines in those Delivery Groups. Machine Catalog Administrator Can create and manage Machine Catalogs and provision the machines into them. Can build Machine Catalogs from the virtualization infrastructure, Provisioning Services, and physical machines. This role can manage base images and install software, but cannot assign applications or desktops to users. Delivery Group Administrator Can deliver applications, desktops, and machines; can also manage the associated sessions. Can also manage application and desktop configurations such as policies and power management settings. Host Administrator Can manage host connections and their associated resource settings. Cannot deliver machines, applications, or desktops to users.
In certain product editions, you can create custom roles to match the requirements of your organization, and delegate permissions with more detail. You can use custom roles to allocate permissions at the granularity of an action or task in a console.
Scopes: A scope represents a collection of objects. Scopes are used to group objects in a way that is relevant to your organization (for example, the set of Delivery Groups used by the Sales team). Objects can be in more than one scope; you can think of objects being labeled with one or more scopes. There is one built-in scope: ‘All,’ which contains all objects. The Full Administrator role is always paired with the All scope.
Company XYZ decided to manage applications and desktops based on their department (Accounts, Sales, and Warehouse) and their desktop operating system (Windows 7 or Windows 8). The administrator created five scopes, then labeled each Delivery Group with two scopes: one for the department where they are used and one for the operating system they use.
The following administrators were created:
|domain/fred||Full Administrator||All (the Full Administrator role always has the All scope)|
|domain/rob||Read Only Administrator||All|
|domain/heidi||Read Only Administrator, Help Desk Administrator||All Sales|
|domain/warehouseadmin||Help Desk Administrator||Warehouse|
|domain/peter||Delivery Group Administrator, Machine Catalog Administrator||Win7|
- Fred is a Full Administrator and can view, edit, and delete all objects in the system.
- Rob can view all objects in the Site but cannot edit or delete them.
- Heidi can view all objects and can perform help desk tasks on Delivery Groups in the Sales scope. This allows her to manage the sessions and machines associated with those groups; she cannot make changes to the Delivery Group, such as adding or removing machines.
- Anyone who is a member of the warehouseadmin Active Directory security group can view and perform help desk tasks on machines in the Warehouse scope.
- Peter is a Windows 7 specialist and can manage all Windows 7 Machine Catalogs and can deliver Windows 7 applications, desktops, and machines, regardless of which department scope they are in. The administrator considered making Peter a Full Administrator for the Win7 scope. However, she decided against this, because a Full Administrator also has full rights over all objects that are not scoped, such as ‘Site’ and ‘Administrator.’
How to use Delegated Administration
Generally, the number of administrators and the granularity of their permissions depends on the size and complexity of the deployment.
- In small or proof-of-concept deployments, one or a few administrators do everything. There is no delegation. In this case, create each administrator with the built-in Full Administrator role, which has the All scope.
- In larger deployments with more machines, applications, and desktops, more delegation is needed. Several administrators might have more specific functional responsibilities (roles). For example, two are Full Administrators, and others are Help Desk Administrators. Also, an administrator might manage only certain groups of objects (scopes), such as machine catalogs. In this case, create new scopes, plus administrators with one of the built-in roles and the appropriate scopes.
- Even larger deployments might require more (or more specific) scopes, plus different administrators with unconventional roles. In this case, edit or create more scopes, create custom roles, and create each administrator with a built-in or custom role, plus existing and new scopes.
For flexibility and ease of configuration, you can create scopes when you create an administrator. You can also specify scopes when creating or editing Machine Catalogs or connections.
Create and manage administrators
When you create a Site as a local administrator, your user account automatically becomes a Full Administrator with full permissions over all objects. After a Site is created, local administrators have no special privileges.
The Full Administrator role always has the All scope; you cannot change this.
By default, an administrator is enabled. Disabling an administrator might be necessary if you are creating the administrator now, but that person won’t start administration duties until later. For existing enabled administrators, you might want to disable several of them while you are reorganizing your object/scopes, then re-enable them when you are ready to go live with the updated configuration. You cannot disable a Full Administrator if it would result in there being no enabled Full Administrator. The enable/disable check box is available when you create, copy, or edit an administrator.
When you delete a role/scope pair while copying, editing, or deleting an administrator, it deletes only the relationship between the role and the scope for that administrator. It does not delete either the role or the scope. It also does not affect any other administrator who is configured with that role/scope pair.
To manage administrators, click Configuration > Administrators in the Studio navigation pane, and then click the Administrators tab in the upper middle pane.
- Create an administrator: Click Create new Administrator in the Actions pane. Type or browse to the user account name, select or create a scope, and select a role. The new administrator is enabled by default; you can change this.
- Copy an administrator: Select the administrator in the middle pane and then click Copy Administrator in the Actions pane. Type or browse to the user account name. You can select and then edit or delete any of the role/scope pairs, and add new ones. The new administrator is enabled by default; you can change this.
- Edit an administrator: Select the administrator in the middle pane and then click Edit Administrator in the Actions pane. You can edit or delete any of the role/scope pairs, and add new ones.
- Delete an administrator: Select the administrator in the middle pane and then click Delete Administrator in the Actions pane. You cannot delete a Full Administrator if it would result in there being no enabled Full Administrator.
Create and manage roles
When administrators create or edit a role, they can enable only the permissions that they themselves have. This prevents administrators from creating a role with more permissions than they currently have and then assigning it to themselves (or editing a role that they are already assigned).
Role names can contain up to 64 Unicode characters; they cannot contain: backslash, forward slash, semicolon, colon, pound sign, comma, asterisk, question mark, equal sign, left or right arrow, pipe, left or right bracket, left or right parenthesis, quotation marks, or apostrophe. Descriptions can contain up to 256 Unicode characters.
You cannot edit or delete a built-in role. You cannot delete a custom role if any administrator is using it.
Only certain product editions support custom roles. Only editions that support custom roles have related entries in the Actions pane.
To manage roles, click Configuration > Administrators in the Studio navigation pane, and then click the Roles tab in the upper middle pane.
- View role details: Select the role in the middle pane. The lower portion of the middle pane lists the object types and associated permissions for the role. Click the Administrators tab in the lower pane to display a list of administrators who currently have this role.
- Create a custom role: Click Create new Role in the Actions pane. Enter a name and description. Select the object types and permissions.
- Copy a role: Select the role in the middle pane and then click Copy Role in the Actions pane. Change the name, description, object types, and permissions, as needed.
- Edit a custom role: Select the role in the middle pane and then click Edit Role in the Actions pane. Change the name, description, object types, and permissions, as needed.
- Delete a custom role: Select the role in the middle pane and then click Delete Role in the Actions pane. When prompted, confirm the deletion.
Create and manage scopes
When you create a Site, the only available scope is the ‘All’ scope, which cannot be deleted.
You can create scopes using the following procedure. You can also create scopes when you create an administrator; each administrator must be associated with at least one role and scope pair. When you are creating or editing desktops, machine catalogs, applications, or hosts, you can add them to an existing scope. If you do not add them to a scope, they remain part of the ‘All’ scope.
Site creation cannot be scoped, nor can Delegated Administration objects (scopes and roles). However, objects you cannot scope are included in the ‘All’ scope. (Full Administrators always have the All scope.) Machines, power actions, desktops, and sessions are not directly scoped. Administrators can be allocated permissions over these objects through the associated machine catalogs or Delivery Groups.
Scope names can contain up to 64 Unicode characters. Scope names cannot include: backslash, forward slash, semicolon, colon, pound sign, comma, asterisk, question mark, equal sign, left arrow, right arrow, pipe, left or right bracket, left or right parenthesis, quotation marks, or apostrophe. Descriptions can contain up to 256 Unicode characters.
When you copy or edit a scope, keep in mind that removing objects from the scope can make those objects inaccessible to the administrator. If the edited scope is paired with one or more roles, ensure that the scope updates do not make any role/scope pair unusable.
To manage scopes, click Configuration > Administrators in the Studio navigation pane, and then click the Scopes tab in the upper middle pane.
- Create a scope: Click Create new Scope in the Actions pane. Enter a name and description. To include all objects of a particular type (for example, Delivery Groups), select the object type. To include specific objects, expand the type and then select individual objects (for example, Delivery Groups used by the Sales team).
- Copy a scope: Select the scope in the middle pane and then click Copy Scope in the Actions pane. Enter a name and description. Change the object types and objects, as needed.
- Edit a scope: Select the scope in the middle pane and then click Edit Scope in the Actions pane. Change the name, description, object types, and objects, as needed.
- Delete a scope: Select the scope in the middle pane and then click Delete Scope in the Actions pane. When prompted, confirm the deletion.
You can create two types of Delegated Administration reports:
An HTML report that lists the role/scope pairs associated with an administrator, plus the individual permissions for each type of object (for example, Delivery Groups and Machine Catalogs). You generate this report from Studio.
To create this report, click Configuration > Administrators in the Studio navigation pane. Select an administrator in the middle pane and then click Create Report in the Actions pane.
You can also request this report when creating, copying, or editing an administrator.
An HTML or CSV report that maps all built-in and custom roles to permissions. You generate this report by running a PowerShell script named OutputPermissionMapping.ps1.
To run this script, you must be a Full Administrator, a Read Only Administrator, or a custom administrator with permission to read roles. The script is located in: Program Files\Citrix\DelegatedAdmin\SnapIn\Citrix.DelegatedAdmin.Admin.V1\Scripts.
OutputPermissionMapping.ps1 [-Help] [-Csv] [-Path string] [-AdminAddress string] [-Show] [CommonParameters]
Displays script help.
Specifies CSV output. Default = HTML
Where to write the output. Default = stdout
IP address or host name of the Delivery Controller to connect to. Default = localhost
(Valid only when the
-Pathparameter is also specified) When you write the output to a file,
-Showcauses the output to be opened in an appropriate program, such as a web browser.
OutVariable. For details, see the Microsoft documentation.
The following example writes an HTML table to a file named Roles.html and opens the table in a web browser.
& "$env:ProgramFiles\Citrix\DelegatedAdmin\SnapIn\ Citrix.DelegatedAdmin.Admin.V1\Scripts\OutputPermissionMapping.ps1" -Path Roles.html –Show
The following example writes a CSV table to a file named Roles.csv. The table is not displayed.
& "$env:ProgramFiles\Citrix\DelegatedAdmin\SnapIn\ Citrix.DelegatedAdmin.Admin.V1\Scripts\OutputPermissionMapping.ps1" –CSV -Path Roles.csv
From a Windows command prompt, the preceding example command is:
powershell -command "& '%ProgramFiles%\Citrix\DelegatedAdmin\SnapIn\ Citrix.DelegatedAdmin.Admin.V1\Scripts\OutputPermissionMapping.ps1' -CSV -Path Roles.csv"