Understanding roles and privileges

Delegated Administration Console allows an administrator of Microsoft Provisioning System to delegate administration tasks selectively by assigning different roles to user accounts. Users of Delegated Administration Console are able to access and use its features according to the role assigned to the user account with which they log on. For example, user accounts with an administrative role can access a range of administrative features, while end user accounts can access only their own account information.

A role is actually an Active Directory security group, which is associated with a specific set of privileges. User accounts are assigned a role by gaining membership in an appropriate security group, and they are automatically granted the privileges associated with that group.

A user account that has been assigned an administrative role has the authority to assign roles that have a lower level of authority.


Delegated Administration Console supports three different kinds of organizations:

Within each type of organization, you can assign roles to user accounts that allow them to perform specific administrative tasks. By default, Microsoft Provisioning System includes several roles. You can assign these roles to user accounts, or you can create and assign new roles to meet specific needs. The default roles are:

How role priority numbers control the Delegated Administration Console user interface

Delegated Administration Console uses role priority numbers (RPNs) to control what information is displayed to each user account, based on its assigned role. RPNs ensure that user accounts are able to view only those features that they have privileges to use.

Microsoft Provisioning System associates each role, described previously, with an RPN. When you add a user account to a group, the user account is assigned an RPN based on membership in this group. Each user interface control in Delegated Administration Console is configured with information about which RPNs are allowed to view the control. Only user accounts that have the appropriate RPN can view the control. Otherwise, the control is hidden from view.

This works as follows: Each Active Server Pages (ASP) page in a Web site has an associated XML file that contains information about each control and tab on the Web page. Each control or tab has an associated XML tag that contains a given RPN. As the page is displayed, Delegated Administration Console's UI framework engine parses the XML. For each tag, it then compares the minimum RPN for the control set in the tag to the RPN of the logged-on user account. If a user account's RPN is equal to or greater than the minimum RPN for that control, the UI framework engine renders that control. If a user account's RPN is lower than the minimum RPN for a particular control, the UI framework skips to the next XML item. For example, a reseller CSR with an RPN of 1,000 cannot view the information that is displayed for a reseller administrator with the higher RPN of 1,500.

For specific procedures on assigning roles, see Assign roles.

RPN assignments

The following table lists the RPNs that are assigned to each role.

RPN Role
6,000 Domain administrator
5,000 Service provider administrator
2,000 Service provider customer service representative
1,500 Reseller administrator
1,000 Reseller customer service representative
500 Organization administrator
100 Organization customer service representative (organization CSR)
0 End user