Delegated administration
The delegated administration is a tool which offers the possibility to let non-Trustelem admin users administrate only Trustelem groups.
This new kind of administrator can do the following things on the administered groups:
- Create / Add / Delete / Remove / Edit a user in the administered group
- Reset factors of administered users
- Affect new groups to administered users
To enable this tool, you need to send an email to your WALLIX sales contact.
This tool can be easily customized: change the logo or the background, remove a feature...
How to setup the Delegated administration
Once the tool enabled, you will have a new app on Trustelem named "Delegated administration". You can change its name and logo.
The first step for the setup is to give access for the selected users to this app using Trustelem tab Access rules
As usual, you can give individual rights for each delegated administrator but it's better to create a group for all of them and add a unique permission.
Then you need to go on the Trustelem profile of your delegated administrators, and add one attribute per group :
- name: groupManager
- kind: string
- value: group name
Instead of providing a group name, you can also use regular expressions to select multiple groups.
For instance regexp:.* will select all existing groups.
Still for the value field, you can add ;max:X to limit to X the maximum users number in the group, managed by this delegated administrator.
Finally, still on the same field, you can add assignableGroups:group1,group2,groupN to offer the possibility to add other groups to the users.
The first example let the administrator manage Trustelem group named TMA-Bastion with no additional features.
The second example let the administrator manage all Trustelem groups with a maximum of 3 users inside them.
In the screenshot, there is "editableGroups" instead of "assignableGroups", because it changed --> this image will be modify. The right value is "assignableGroups".
The third example let the administrator manage Trustelem group named Supplier1 with a maximum of 5 users inside and the possibility to add the groups rdp and ssh to the 5 users.
Use case 1
One group on Trustelem is dedicated to one Supplier and gives all the requested access to applications.
This group is named Supplier1.
To handle license abuses, this group is limited to 10 users.
In this case the attribute groupManager should have the value: Supplier1;max:10
Use case 2
One group on Trustelem gives access to Google for users coming from Supplier2 and Supplier3.
This group is named Google
Another group on Trustelem gives access to SalesForce for users coming from Supplier2 and Supplier3.
This group is named SalesForce
I have 2 other groups: one name Suppliers2 with users coming from Suppliers2 and one name Suppliers3 with users coming from Suppliers3
To handle license abuses, the 2 suppliers are limited to 10 users.
In this case the attribute groupManager should have the value:
- Supplier2;assignableGroups:Google,SalesForce;max:10 for the delegated administrators of Supplier2
- Supplier3;assignableGroups:Google,SalesForce;max:10 for the delegated administrators of Supplier3
Note: in this example, the buttons add user to the group and remove user from the group have been removed
How to use the Delegated administration
Once the delegated administrator is authenticated to the application, he can create new user using the Create user button.
- If the email address is a real one, then he can click on Send email at the end of the creation
- If the email address is not a real one, then he can copy the text and send manually the content
Notes:
- After clicking on the link, the user will have to define a password. Then he will be redirected to his Trustelem login page.
- It is possible to directly redirect the users to one unique application after the password definition.
To do that, you need to create a WALLIX support request with your Trustelem tenant name and the application name. - It is also possible to see the authentication type (1 factor, 2 factors) if your delegated admin tool is dedicated to one app (for Access Manager or SaRA for instance).
To do that, you also need to create a WALLIX support request with your Trustelem tenant name and the application name.
Then the delegated administrator can use the different buttons to:
- Add an existing user in the administrated group
- Remove a user from the group
- Delete a group user
- Edit a group user
- Reset factors of a group user
- Add new groups to a user