May, 2013
Delegated AdministrationProject Excalibur
Miho Hoshino, WW Support Readiness
© 2013 Citrix | Confidential – Do Not Distribute
Delegated administration in XenDesktop 5.x
• There are five types of built-in administrator:ᵒ Full Administrator
• Has full administration rolesᵒ Machine Administrator
• Owns the catalogsᵒ Assignment Administrator
• Can assign desktops to usersᵒ Read-only Administrator
• Can see all aspects of XenDesktop siteᵒ Help desk Administrator
• Can perform day-to-day monitoring and maintenance tasks
• No granular control for permission
© 2013 Citrix | Confidential – Do Not Distribute
Delegated administration in Excalibur
• Provides an enterprise-class administrationmodel and granular permission configuration
• Uses role and object-based control
© 2013 Citrix | Confidential – Do Not Distribute
Delegated administration in Excalibur
Scopes Roles
Full Administrator
Read Only Administrator
Help Desk Administrator
Machine Catalog Administrator
Delivery Group Administrator
Host Administrator
Custom
Objects can be in more than one scope
Object Object Object
Administrators
ObjectObject
Object
All
Win7 Sales
Object
ObjectObject
Full Admin
All
Help Desk
Win7
Machine Catalog
Delivery Group
Win7
An administrator is associated with one or more role and scope pairs
Sales
A role has defined permissions
© 2013 Citrix | Confidential – Do Not Distribute
How to create new administrator
Select a role or create a new one
Click Finish to enable the new administrator
Click Create Administrator
Type the name of the administrator user account
or browse to it
Select a scope or create a new one
© 2013 Citrix | Confidential – Do Not Distribute
Creating a new scope
© 2013 Citrix | Confidential – Do Not Distribute
Creating a new role
© 2013 Citrix | Confidential – Do Not Distribute
Tips: Assigning multiple role and scope pairs
Select and right-click an administrator
Select Edit Administrator
Click Add
Select a scope and a role
© 2013 Citrix | Confidential – Do Not Distribute
Resultant set of permissions (RSOP)
© 2013 Citrix | Confidential – Do Not Distribute
RSOP report
© 2013 Citrix | Confidential – Do Not Distribute
Delegated administration component interactions
DDC server
cmdlet cmdlet
PowerShell Desktop Studio Director
Delegated Administration
ServiceOther
Services
Admin Config
SDK WCF/Soap Call
Inter-service Call
SQL DB Access
Cmdlets that change data ask the Delegated Administration
Service if the user has the proper permission to perform the
operation
© 2013 Citrix | Confidential – Do Not Distribute
Delegated Administration Service
• Provides the core storage of delegated administration configuration
• Inherits many of the standard service behaviours of a normal XenDesktop Service:ᵒ Initial database creationᵒ Schema versioning and updatesᵒ Service status and registration with the Configuration Serviceᵒ A PowerShell admin serviceᵒ A number of PowerShell cmdlets for managing service lifecycle and registrationᵒ Support for an inter-service WCF interfaceᵒ Support for logging configuration changes
© 2013 Citrix | Confidential – Do Not Distribute
Desktop Studio
Director
Active Directory
XenDesktop Services
Internal delegated administration objects
Right Role
Permission
OperationScope
AdministratorUser/Group
AccountKnown
Permission
KnownPermission
KnownOperation
ScopedObject
IndirectlyScoped Object
UnscopedObject
1 1 1 1
1
1
1**
**
**
*
**
© 2013 Citrix | Confidential – Do Not Distribute
Internal delegated administration objectsDescriptions
Administrator Represents an individual person or a group of people identified by their Active Directory account
Role Represents a job function, and has defined permissions associated with it. Roles can be built-in or custom
Scope Represents a collection of objects
Right Rights determine what an administrator can do and where they can do it. They are expressed as a number of <role, scope> pairs associated with each administrator
Permission Represents a unit of functionality that an administrator can perform
Operation Operations are the indivisible unit of functionality
© 2013 Citrix | Confidential – Do Not Distribute
PowerShell cmdlets for delegated administration
• Scope/Role/Permission/PermissionGroup/Administrator/Right cmdlets
• Get-AdminRevision
• Get-AdminEffectiveRight
• Get-AdminEffectiveAdministrator
• Test-AdminAccess
• Import-AdminRoleConfiguration
• Get-AdminRoleConfiguration
© 2013 Citrix | Confidential – Do Not Distribute
Tracing delegated administration
XenDesktop 5.x Excalibur• DelegatedAdminDAL• DelegatedAdminFiltering• DelegatedAdminLog• DelegatedAdminLogging• DelegatedAdminSnapIn
© 2013 Citrix | Confidential – Do Not Distribute
References
• http://edocssand.citrix.com/proddocs/topic/xendesktop-7/cds-manage-delegatedadmin.html
Work better. Live better.