Delegated administration
This article relies largely or entirely on a single source. (August 2007) |
In computing, delegated administration or delegation of control describes the
Such delegation involves assigning a person or group specific administrative permissions for an
One best practice for enterprise role management entails the use of LDAP groups. Delegated administration refers to a decentralized model of role or group management. In this model, the application or process owner creates, manages and delegates the management of roles. A centralized IT team simply operates the service of directory, metadirectory, web interface for administration, and related components.
Allowing the application or business process owner to create, manage and delegate groups supports a much more scalable approach to the administration of access rights.
In a
Some enterprise applications (e.g., PeopleSoft) support LDAP groups inherently. These applications are capable of using LDAP to call the directory for its authorization activities.
Web-based group management tools — used for delegated administration — therefore provide the following capabilities using a directory as the group repository:
- Decentralized management of groups (roles) and access rights by business- or process-owners
- Categorizing or segmenting users by characteristic, not by enumeration
- Grouping users for e-mail, subscription, and access control
- Reducing work process around maintenance of groups
- Reproducing groups on multiple platforms and into disparate environments
Active Directory
In
A use of Delegation of Control could be to give managers complete control of users in their own department. With this arrangement managers can create new users, groups, and computer objects, but only in their own OU.
See also
- Access control
- Identity management
- User provisioning
- RBAC
Reading list
- Delegating Authority in Active Directory, TechNet Magazine
- Built-in Groups vs. Delegation, WindowsSecurity.Com
References
- ^ Ferraiolo, D.F. & Kuhn, D.R. (October 1992). "Role-Based Access Control" (PDF). 15th National Computer Security Conference: 554–563.