The Delegated Administration Service PowerShell snap-in enables both local
and remote administration of the Delegated Administration Service.
The Delegated Administration Service (or DAS for short) stores information
about Citrix administrators and the rights they have. Services in the
XenDesktop deployment use the DAS to determine whether a particular user
has the privilege to perform an operation or not.
The snap-in provides storage and configuration of these entities:
Each administrator object represents an individual person or a group
of people identified by their Active Directory account.
Administrators can be enabled and disabled.
The effective rights that a user has is the superset of any rights
that they have by looking at their Active Directory group membership.
Disabled administrator entries are ignored for this calculation.
Once a site is setup, there must always be a full administrator and
the Delegated Administration snap-in rejects requests to remove or
disable the last full administrator.
A role represents a job function. That is, anyone with a given role
is expected to be able to use or perform the tasks, wizards, and
actions associated with that role. Administrators may have multiple
roles for a particular site.
Some roles are built-in, and some editions of the product allow custom
roles to be created with different combinations of permissions.
Scopes represent a collection of objects, and are used to group
objects for administrative purposes in a way that is relevant to the
organisation. They can be used to represent both hierarchical and
Objects can exist in multiple scopes at once. You may find it
easier to think of scopes as labels, or a non-exclusive grouping such as
All objects are implicitly in the built-in 'All' scope.
Some objects are not scoped, and access to them is through either the
'All' scope or indirectly through a scoped object. For example
sessions are not directly scoped but can be accessed using the
scope of the desktop group.
The DAS stores information about scopes, but the mapping between
scopes and objects is stored and updated using the PowerShell
snap-ins of each corresponding service. For example, Delivery Group
scopes are managed using the Broker PowerShell snap-in.
Rights determine what an administrator can do and where they can do
it. They are expressed as a number of <role, scope> pairs associated
with each administrator.
To gain access to any particular object, a person must match an
administrator object that has an appropriate right that allows the
required operation in a scope that the object is a member of.
Each task, wizard or action in the Citrix Studio or Director consoles
represents a unit of functionality that an administrator can perform.
Permissions are expressed at a high level and generally correspond
directly to the labels in the consoles. For example: "Edit catalog",
or "Create delivery group".
Permissions are grouped into related functionality when displayed
by the console.
Operations are the indivisible unit of functionality that each
XenDesktop service can perform, and usually correspond to
individual cmdlets. Internally, each permission requires a number
of operations to be performed, possibly by different services.