Role-based delegation

Overview

Cayosoft Administrator has a granular set of roles that grant day-to-day administrators, help desk staff, or self-service users the ability to perform tasks that their jobs require. The Web Administrator’s Roles control what Queries and Actions are visible to a user when they sign in to the Web Portal. Other roles control what users can see and do in the Cayosoft Administrator console.

NOTE: In Cayosoft Administrator, a Self-Service user and group management in Active Directory supports hybrid sign-in in the Web Portal when Azure AD authentication is used for a user but for the access check Administrator Service uses both Azure AD and Active Directory permissions that are configured for this user.

1. To create a delegation rule, in the Cayosoft Administrator Console navigate to Home > Configuration > Roles.
2. Select the role that you need to grant:
   1. Global Administrators - trustees have access to all Cayosoft configuration options and administrative features for all platforms. Global Administrators are the administrators who can assign other admin roles or see the Configuration node in the Cayosoft Administrator Console. You can have more than one Global Administrator in your organization. The person who installs the product automatically becomes a Global Administrator.
   2. Administrators - trustees have access to all Web Queries and Actions in the Web Portal and can create and configure all automation rules in the Cayosoft Administrator Console. You can have more than one Administrator in your organization.
   3. Platform Administrators - trustees have access to Web Queries and Actions in the Web Portal and can create and configure automation rules in the Cayosoft Administrator Console only for the specified platforms that are defined in a delegation rue. You can have more than one Platform Administrator in your organization.
   4. Dynamic Group Administrators - trustees have access only to the Dynamic Groups node in the Cayosoft Administrator Console. You can create a delegation rule to give some user or group access to create/manage dynamic groups through the Cayosoft Administrator Console.
   5. Web Administrators - trustees don't have access to Cayosoft Administrator Console. You can configure delegation rules and define which Web Queries and Actions the delegated administrator will have permission to.

Video Tutorial

In this video guide, you will learn why you need to use role-based delegation and examples of how to create a New Virtual Admin Units and delegate roles for it, and configure Self-Service for all users to be able to use it.

Delegation Rules

A delegation rule is added or removed from a Role to assign permissions over things that need to be managed from within Cayosoft Administrator. A delegation rule is made up of two parts, one or more Trustees (people who get permissions) and a scope that defines the permissions (what a trustee can see and do within the tool).

Trustee

Trustees are the users or groups that are assigned a specific role. Trustees are typically Active Directory Users or Groups, but in some situations, Trustees may be from Azure AD/Office 365. To assign Azure/Office 365 Users or Groups as Trustees you must configure the web portal to use Azure AD Authentication.

What do roles control?

• Access to the Rules and Groups nodes in the Cayosoft Administrator Console
  • Creation and modification of Runbooks and Rules in the Rules Section
  • Creation and modification of Dynamic Groups

• Access to the Configuration node in the Cayosoft Administrator Console
  • Create, modify and assign Roles
  • Configure the Web Portal
  • Install or Update Extensions
  • Modify Platform settings
  • Update Licensing
  • View Execution History

• Access to the Web Portal

• What web queries a user can see
  • What selection dialog boxes a user can see
  • What commands the user can execute
  • The attributes that are hidden from the user
  • The attributes that are read-only for the user

What are Global Administrators?

Global Administrators will have immediate access to all Administrative Unit and their content. To limit access for a specific group of administrators, a delegation should be performed within the role that controls access to the specific features required by those administrators.

A user will get Global Administrator if one of the conditions is met:

• A user is a local admin on the machine where Cayosoft Administrator is installed.

NOTE: If you want to exclude local administrators from the Global Admins list in Cayosoft, you can select the Exclude local machine administrators checkbox and then Save changes.

• A user who installed Cayosoft Administrator.
• A user is in the list of Global Administrators: HOME > CONFIGURATION > Roles > Global Administrators.

Signing in to Administrator Console

Users who can sign in and use the Cayosoft Administrator Console:

1. Global Administrators.
2. Delegated Administrators - users who are assigned roles that are described above.
   1. Delegated administrators can be AD users and Azure AD users. Delegation works through security groups as well.
   2. Azure AD users will be enforced MFA during sign in if they have it enabled.
   3. You should configure delegation for Azure AD users if only Microsoft 365 extension is enabled. If you have both AD extension and Microsoft 365 extension enabled you can also use Azure AD dlegation.

Delegating the Web Administrators role

What does Web Administrator control?

• What web queries a user can see
• What selection dialog boxes a user can see What commands the user can execute

What do Attribute Policies Control?

• When the attributes need to be a Required entry When the attributes need to be hidden from the user When the attributes need to be read-only for the user
• When the attribute needs to be a drop-down list of values When the attribute needs to have a default value set
• When a specific entry format must be enforced (ex. Phone numbers) When the attribute has a minimum or maximum length
• When the descriptive label next to the attribute needs to be changed

When to use Attribute Policies in combination with a Web Administrator role

• When the attributes need to be a required entry When the attributes need to be hidden from the user When the attributes need to be read-only for the user.
• When the attribute needs to be a drop-down list of values.
• When the attribute needs to have a default value set.
• When a specific entry format must be enforced (ex. Phone numbers).
• When the attribute has a minimum or maximum length.
• When the descriptive label next to the attribute needs to be changed.
• Setting Default Values for Attributes: See Attribute policies .

Setup a role with read-only access to a form

These are step-by-step instructions on how to make all controls read-only on the User Properties form using the Attribute Policy. The same steps can be applied to other forms: just change the policy scope to use another web query and actions in step 7.

NOTE: First, you should create a role with necessary trustee permissions in HOME > CONFIGURATION > Roles > Web Administrators. For additional information about the Web Administrator role, refer to the Delegating the Web Administrators Role section.

1. Open the Cayosoft Administrator Console.
2. Navigate to Web Portal.
3. Click Attribute Policies.
4. Click the Add Attribute Policy button in the upper right corner.
5. Enter the name of the new policy.
6. Expand the Policy Details of the new policy.
7. If you need the policy to be applied to everyone who is using Web Portal leave the radio button Policies Applied to everyone selected. Otherwise, select Policies applied only to specific Trustees, then click the Add button and select required users or groups.
8. Click Add Scope at the bottom right of the Policy Scope section.
9. In the Specify Policy Scope dialog, do the following:
   1. Select the Active Directory admin unit in the first column (you can select any other AD unit if needed).
   2. Select the AD Users Web Query in the second column (you can select additional web queries if needed like, AD User Templates, AD Users (Inactive), etc).
   3. Select Properties in the third column.
   4. Click OK.
10. Click the scope you just added to select it. The attribute policy setting list will be populated with attributes, available on the selected form(s).
11. Select Enable multi-selection checkbox.
12. Click on the top checkbox to select all attributes.
13. Click the Edit Policy button.
14. Select the first checkbox for the Is Read-only option to enforce the read-only setting to ON or OFF.
15. Select the second checkbox for the Is Read-only option to set it to ON for all selected attributes.
16. Click OK to close the dialog.
17. Save Changes

Create a delegation rule for Help Desk staff

1. Navigate to the Active Directory Virtual Admin Unit.
2. Go to the Delegation tab.
3. Click Add Delegation Rule.
4. In the name field, enter the name for the new delegation rule Help Desk Admins.
5. In the Trustee section, click Add.
6. Browse and select a group that will have the Help Desk Admins delegation.
7. Click OK.
8. Click Save Changes at the bottom right to complete the delegation.
9. Below the Trustee Permissions section, click Add Scope.
10. The Check Web Queries Help Desk Admins trustees should be able to see.
11. Check the following actions that will be performed by the Help Desk Admins group:
    • Clone User
    • Compare Membership
    • New User
    • Reset Password
    • Suspend User
12. Click OK.
13. Click Save Changes.

NOTE: The account you use to log on to the web portal for testing the Help Desk Role, must be a trustee of the Help Desk Admins delegation and should not be a Global Administrator.

Show only Office 365 Users in the Select Objects dialog for Membership web action

If you want to hide some object types from search results in the Select Object, you can do this having the Web Administrator role. For example, in this scenario Groups and Office 365 Guests types won't appear in search results from the Membership web action when delegated admin trying to add new members.

1. Navigate to Home > Configuration > Web Portal > Virtual Admin Units > Self-Service virtual admin unit.
2. Click the Delegation tab.

3. Click Add Delegation Rule if you want to create a new delegation role or select the existing one you want to edit.

   In case you want to create a new delegation role, select trustees for whom you want to delegate a role and add the scope as [Self-Service] | [My Office 365 DLs] | [Membership].

4. Expand the Object Pickers section.
5. Select the Disabled checkbox near pickers Groups and Office 365 Guests to hide them.
6. Click Save Changes at the bottom right to complete the delegation.

NOTE: If you disable all pickers that are available for the Select Objects dialog, you'll see the message The selection dialog box you attempted to open was not enabled by your administrator. on the form.

Change History