Delegated Administration Console allows an administrator of Microsoft Provisioning System to delegate administration tasks selectively by assigning different roles to user accounts. Users of Delegated Administration Console are able to access and use its features according to the role assigned to the user account with which they log on. For example, user accounts with an administrative role can access a range of administrative features, while end user accounts can access only their own account information.
A role is actually an Active Directory security group, which is associated with a specific set of privileges. User accounts are assigned a role by gaining membership in an appropriate security group, and they are automatically granted the privileges associated with that group.
A user account that has been assigned an administrative role has the authority to assign roles that have a lower level of authority.
Delegated Administration Console supports three different kinds of organizations:
Within each type of organization, you can assign roles to user accounts that allow them to perform specific administrative tasks. By default, Microsoft Provisioning System includes several roles. You can assign these roles to user accounts, or you can create and assign new roles to meet specific needs. The default roles are:
The domain administrator has the greatest scope of authority in the Microsoft Provisioning System domain. This role is automatically assigned to the domain administrator user account. The domain administrator is responsible for performing the initial configuration of Delegated Administration Console, registering resources, and creating the user account that will perform the service provider administrator role.
After the domain administrator, a user account with the service provider administrator role has the greatest scope of authority in the Microsoft Provisioning System domain. Its privileges include creating and managing user accounts, groups, organizations, and organizational units for reseller and customer organizations; creating service plans; configuring Delegated Administration Console; and managing server resources. The domain administrator assigns this role to user accounts by giving them membership in the admins@service_provider_domain group.
In turn, a service provider administrator can delegate authority by assigning roles to other user accounts.
A user account with the service provider customer service representative (CSR) role can create and manage user accounts, groups, organizations, and organizational units for reseller and customer organizations within the hosting organizational unit. (The hosting organizational unit is the Active Directory container for reseller and customer organizations in the Microsoft Provisioning System domain.) A user account with this role has no authority within the hosting organizational unit itself, nor does it have authority to configure plans and services, configure Delegated Administration Console, or manage server resources. The domain administrator or service provider administrator assigns this role to user accounts by making them members of the csradmins@service_provider_domain group.
A user account with the reseller administrator role has authority within its own reseller organizational unit. For the reseller organization, it can create and maintain user accounts, groups, and organizational units, as well as configure services. It can also create customer organizational units, user accounts, groups, and organizational units, and can enable and configure services for customer organizations. The domain administrator or service provider administrator assigns this role to user accounts by making them members of the admins@reseller_domain group.
The reseller administrator role is useful for service providers who provision and maintain large numbers of clients. It allows the service provider administrator to share the workload for managing reseller organizations with reseller administrators.
A user account with the reseller CSR role can create and manage user accounts, groups, and organizational units, as well manage services, for any customer organizations contained within its own reseller organizational unit. An administrator with greater authority (domain administrator, service provider administrator, or reseller administrator) assigns this role to user accounts by making them members of the csradmins@reseller_domain group.
A user account with the organization administrator role can create and manage user accounts, groups, and organizational units for its own customer organization. It can also configure most Web site and FTP site options, and can manage Exchange mailboxes for its organization. An administrator with greater authority (domain administrator, service provider administrator, reseller administrator, or reseller CSR) assigns this role to a user account by making it a member of the admins@customer_organization_domain group.
A user account with the organization CSR role can create and manage user accounts within its own organization. An administrator with greater authority (domain administrator, service provider administrator, reseller administrator, reseller CSR, or organization administrator) assigns this role to a user account by making it a member of the csradmins@customer_organization_domain group.
When they are created, all user accounts are automatically made members of the allusers@domain group, and therefore have the end user role. End user accounts can manage their own account information. They can also search for other user accounts, groups, and organizational units within their own organizations. User accounts are granted a higher level of authority when they are assigned an administrator or CSR role in addition to the end user role. However, all user accounts must have the end user role in order to access Delegated Administration Console.
Delegated Administration Console uses role priority numbers (RPNs) to control what information is displayed to each user account, based on its assigned role. RPNs ensure that user accounts are able to view only those features that they have privileges to use.
Microsoft Provisioning System associates each role, described previously, with an RPN. When you add a user account to a group, the user account is assigned an RPN based on membership in this group. Each user interface control in Delegated Administration Console is configured with information about which RPNs are allowed to view the control. Only user accounts that have the appropriate RPN can view the control. Otherwise, the control is hidden from view.
This works as follows: Each Active Server Pages (ASP) page in a Web site has an associated XML file that contains information about each control and tab on the Web page. Each control or tab has an associated XML tag that contains a given RPN. As the page is displayed, Delegated Administration Console's UI framework engine parses the XML. For each tag, it then compares the minimum RPN for the control set in the tag to the RPN of the logged-on user account. If a user account's RPN is equal to or greater than the minimum RPN for that control, the UI framework engine renders that control. If a user account's RPN is lower than the minimum RPN for a particular control, the UI framework skips to the next XML item. For example, a reseller CSR with an RPN of 1,000 cannot view the information that is displayed for a reseller administrator with the higher RPN of 1,500.
For specific procedures on assigning roles, see Assign roles.
The following table lists the RPNs that are assigned to each role.
|5,000||Service provider administrator|
|2,000||Service provider customer service representative|
|1,000||Reseller customer service representative|
|100||Organization customer service representative (organization CSR)|