Delegated Administration Console allows an administrator of
Microsoft Provisioning System to delegate administration tasks
selectively by assigning different roles to user
accounts. Users of Delegated Administration Console are able to
access and use its features according to the role assigned to the
user account with which they log on. For example, user accounts
with an administrative role can access a range of administrative
features, while end user
accounts can access only their own account information.
A role is actually an Active Directory security group, which is
associated with a specific set of privileges. User accounts are
assigned a role by gaining membership in an appropriate security
group, and they are automatically granted the privileges associated
with that group.
A user account that has been assigned an administrative role has
the authority to assign roles that have a lower level of
authority.
Note
Delegated Administration Console handles roles and
organizations by using the Microsoft Windows 2000 Active
Directory service. Before creating organizations and assigning
roles, it is a good idea to become familiar with basic Active
Directory concepts. For more information, see Resources.
Delegated Administration Console supports three different kinds
of organizations:
Within each type of organization, you can assign roles to user
accounts that allow them to perform specific administrative tasks.
By default, Microsoft Provisioning System includes several roles.
You can assign these roles to user accounts, or you can create and
assign new roles to meet specific needs. The default roles are:
The domain administrator has the greatest scope of authority in
the Microsoft Provisioning System domain. This role is
automatically assigned to the domain administrator user account.
The domain administrator is responsible for performing the initial
configuration of Delegated Administration Console, registering
resources, and creating the user account that will perform the
service provider administrator role.
After the domain administrator, a user account with the service
provider administrator role has the greatest scope of authority in
the Microsoft Provisioning System domain. Its privileges include
creating and managing user accounts, groups, organizations, and
organizational units for reseller and customer organizations;
creating service plans; configuring Delegated Administration
Console; and managing server resources. The domain administrator
assigns this role to user accounts by giving them membership in the
admins@service_provider_domain group.
In turn, a service provider administrator can delegate authority
by assigning roles to other user accounts.
A user account with the service provider customer service representative (CSR) role can create
and manage user accounts, groups, organizations, and organizational
units for reseller and customer organizations within the hosting
organizational unit. (The hosting organizational unit is the Active
Directory container for reseller and customer organizations in the
Microsoft Provisioning System domain.) A user account with this
role has no authority within the hosting organizational unit
itself, nor does it have authority to configure plans and services,
configure Delegated Administration Console, or manage server
resources. The domain administrator or service provider
administrator assigns this role to user accounts by making them
members of the csradmins@service_provider_domain group.
A user account with the reseller administrator role has authority within its
own reseller organizational unit. For the reseller organization, it can create and maintain user
accounts, groups, and organizational units, as well as configure
services. It can also create customer organizational units, user
accounts, groups, and organizational units, and can enable and
configure services for customer organizations. The domain
administrator or service provider administrator assigns this role
to user accounts by making them members of the
admins@reseller_domain group.
The reseller administrator role is useful for service providers
who provision and maintain large numbers of clients. It allows the
service provider administrator to share the workload for managing
reseller organizations with reseller administrators.
A user account with the reseller CSR role can create and manage
user accounts, groups, and organizational units, as well manage
services, for any customer organizations contained within its own
reseller organizational unit. An administrator with greater
authority (domain administrator, service provider administrator, or
reseller administrator) assigns this role to user accounts by
making them members of the csradmins@reseller_domain
group.
A user account with the organization administrator role can create and manage
user accounts, groups, and organizational units for its own
customer organization. It can also configure most Web site and FTP
site options, and can manage Exchange mailboxes for its
organization. An administrator with greater authority (domain
administrator, service provider administrator, reseller
administrator, or reseller CSR) assigns this role to a user account
by making it a member of the
admins@customer_organization_domain group.
A user account with the organization CSR role can create and manage user
accounts within its own organization. An administrator with greater
authority (domain administrator, service provider administrator,
reseller administrator, reseller CSR, or organization
administrator) assigns this role to a user account by making it a
member of the csradmins@customer_organization_domain
group.
When they are created, all user accounts are automatically made
members of the allusers@domain group, and therefore have the
end user role. End user accounts can manage their own account
information. They can also search for other user accounts, groups,
and organizational units within their own organizations. User
accounts are granted a higher level of authority when they are
assigned an administrator or CSR role in addition to the end user
role. However, all user accounts must have the end user role
in order to access Delegated Administration Console.
How role priority numbers control the Delegated Administration
Console user interface
Delegated Administration Console uses role priority numbers
(RPNs) to control what information is displayed to each user
account, based on its assigned role. RPNs ensure that user accounts
are able to view only those features that they have privileges to
use.
Microsoft Provisioning System associates each role, described
previously, with an RPN. When you add a user account to a group,
the user account is assigned an RPN based on membership in this
group. Each user interface control in Delegated Administration
Console is configured with information about which RPNs are allowed
to view the control. Only user accounts that have the appropriate
RPN can view the control. Otherwise, the control is hidden from
view.
This works as follows: Each Active Server Pages (ASP) page in a
Web site has an associated XML file that contains information about
each control and tab on the Web page. Each control or tab has an
associated XML tag that contains a given RPN. As the page is
displayed, Delegated Administration Console's UI framework engine
parses the XML. For each tag, it then compares the minimum RPN for
the control set in the tag to the RPN of the logged-on user
account. If a user account's RPN is equal to or greater than the
minimum RPN for that control, the UI framework engine renders that
control. If a user account's RPN is lower than the minimum RPN for
a particular control, the UI framework skips to the next XML item.
For example, a reseller CSR with an RPN of 1,000 cannot view the
information that is displayed for a reseller administrator with the
higher RPN of 1,500.
For specific procedures on assigning roles, see Assign roles.
RPN assignments
The following table lists the RPNs that are assigned to each
role.