Overview of Delegated Administration

In the Axeda® Connected Product Management Applications environment you can extend the security model to include users and assets that are managed by separate organizations. You can do this through Partner Logins and through Delegated Administration. Delegated Administration consists of creating and managing separate, self-contained security units, called Delegated Admin Units, and associating them with asset groups. It also requires that you add an administrator user, called the Delegated Administrator.

A "Delegated Admin Unit" is an object that you can use to represent a client organization within the Axeda® Connected Product Management Applications Platform. When you want each of your client organizations to have their own delegated administrator, their own set of users and user groups, and their own assets and asset groups to monitor, you can create a Delegated Admin Unit. The users, user groups, assets, and asset groups of a Delegated Admin Unit are visible only to the users associated with the Delegated Admin Unit and to the Platform Administrator of the Axeda Applications Platform. Delegated Administration requires a separate, secondary LDAP directory service that you need to set up before installing the Axeda® Enterprise Server software. For details on configuring that directory service, refer to your Axeda® Enterprise Server Installation and Maintenance Guide.

When creating a Delegated Admin Unit (DA Unit) using the Axeda® Administration application, you enter a name and select an existing Asset Group that will be the "root" Asset Group for that Unit. You also create a Delegated Administrator by specifying a new user name and password. The DA Unit name is used to create a user group for that Unit in the directory service. The Delegated Administrator is created as a non-administrative user in that user group. Delegated Administrators have privileges to create users, user groups, and child DA Units in their respective DA Unit. Delegated Administrators can access the information and assets in their own DA Unit and also in any child DA Unit they created within their own DA Unit.

To view a diagram that illustrates a Axeda Applications Platform with a Delegated Administration hierarchy containing three tiers, click here.

In this example hierarchy, the Axeda® Connected Product Management Applications Administrator creates all DA Units in Tier 1. These DA Units have a subset of privileges assigned to them by the Applications Administrator. The assets that users in each DA Unit can access depend on the Asset Group selected to be the "root" Asset Group for that DA Unit.

The Delegated Administrators of DA_Unit_2 and DA_Unit_4 create the Child DA Units in their respective DA Units. These Child DA Units make up Tier 2. Their users have a subset of the privileges of their parent DA Unit, DA_Unit_2 and DA_Unit_4. These privileges are assigned to them by the Delegated Administrators of DA_Unit_2 and DA_Unit_4. The assets available to users of the Child DA Units depend on the asset group selected as their "root asset group."

Finally, the Delegated Administrator of Sub-DA_Unit_a creates the Sub-Child DA Units in Tier 3. The users in these Sub-Child DA Units have a subset of privileges of Sub-DA_Unit_a, assigned to them by the Delegated Administrator of Sub-DA_Unit_a. The assets available to users of the Sub-Child DA Units depend on the asset group selected as their "root asset group."

It is important to note that within each DA Unit, user group security works in the same way as it does if you were using the Platform without Delegated Administration. That is, user groups inherit the privileges of their parent user groups. For example, suppose you have three nested user groups, each associated with a different asset group. The users who are members of the lowest user group in the hierarchy have access to the assets of all three asset groups, simply because they are members of the user group at each level of the hierarchy. This inheritance behavior is a feature of LDAP directory services. Delegated Administration is added as a layer on top of the security currently provided by the Platform, giving customers who require it a way to create mini Axeda Applications environments within the same Platform.

For more details, click to expand the following titles; click a title again to hide the details.

Pre-requisites for Creating Delegated Admin Units

The following are the pre-requisites for creating Delegated Admin Units (DA Units):

During the installation of the Axeda® Platform software, the LDAP directory service for Delegated Administration was configured.
In the Delegated Administration directory service, the ServiceLinkUsers group has been created. Refer to the installation guide for the Axeda® Enterprise Server for details.
In addition to the privileges to view and edit DA Units, any non-administrator user (including the Delegated Administrator) who wants to create DA units must have privileges to view and edit users and to view and edit user groups. Otherwise, the Platform presents the Access Denied message when a non-administrator user tries to create a DA Unit.
An asset group that will serve as the "root asset group" for all other asset groups in the DA Unit has been created.

Creating DA Units and Assigning Privileges

The Platform Administrator first creates the "root" Asset Groups for the DA Units. Then the Platform Administrator creates DA Units, and their Delegated Administrators. In the background the Platform creates a user group, using the name of the DA Unit, and associates that user group with the selected asset group. When the Platform administrator assigns privileges to the DA Unit, those privileges are automatically assigned to the DA Unit user group. Privileges can be assigned to a DA Unit only through the Overview for Delegated Admin Unit: (name) page, not through the User Group Overview page.

Once the DA Unit exists, the Delegated Administrator can log in to the Platform and add the users and user groups for his or her organization. Once logged in, the Delegated Administrator can add users and user groups to his/her own DA Unit, but cannot see the users and user groups of any other DA Unit or of the main system. The Delegated Administrator has a subset of the privileges of the Platform Administrator and from this subset can assign privileges to the user groups of that DA Unit. The Delegated Administrator can also create child DA Units. Note that the Delegated Administrator can see the users, user groups, and asset groups of any child DA Unit within his/her own DA Unit.

Supported Objects for Delegated Administration

What Can Users in a Delegated Admin Unit See and Do?

What any Axeda Applications user, including those who belong to a Delegated Admin Unit, can see is determined by the user group to which that user is assigned. Every user group has a set of privileges that determine what components of the Axeda Applications they can view and use. In addition, every user group has at least one asset group associated with it that determines which assets the users in the user group can view and service. The only exception to this security structure is the Platform Administrator.

The Platform Administrator can create, view, edit, and delete all Delegated Admin Units and their associated asset groups, assets, and other information. The Platform Administrator has privileges to all of the Platform Applications' pages and their tools and must take care to assign a subset of privileges to each Delegated Admin Unit. These privileges are then available for assignment to the user groups within the Delegated Admin Unit. A user who is a member of a DA Unit can see and use those pages and tools of the Platform applications that his or her user group has privileges to see and use. This user has access to the assets that are associated with any asset group associated with his or her user group.

For more information about object security when Delegated Administration is enabled, refer to Security for Objects in Delegated Administration Units.