In computing, delegated administration or delegation of control describes the

decentralization Decentralization or decentralisation is the process by which the activities of an organization, particularly those related to planning and decision-making, are distributed or delegated away from a central, authoritative location or group and gi ...

of role-based-access-control systems. Many enterprises use a centralized model of access control. For large organizations, this model scales poorly and IT teams become burdened with menial role-change requests. These requests — often used when hire, fire, and role-change events occur in an organization — can incur high latency times or suffer from weak security practices. Such delegation involves assigning a person or group specific administrative permissions for an

Organizational Unit In computing, an organizational unit (OU) provides a way of classifying objects located in directories, or names in a digital certificate hierarchy A hierarchy (from Ancient Greek, Greek: , from , 'president of sacred rites') is an arrangement ...

. In information management, this is used to create teams that can perform specific (limited) tasks for changing information within a user directory or database. The goal of delegation is to create groups with minimum permissions that grant the ability to carry out authorized tasks. Granting extraneous/superfluous permissions would create abilities beyond the authorized scope of work. One best practice for enterprise role management entails the use of

LDAP The Lightweight Directory Access Protocol (LDAP ) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed Directory service, directory information services over an Internet Protocol (IP) networ ...

groups. Delegated administration refers to a decentralized model of role or group management. In this model, the application or process owner creates, manages and delegates the management of roles. A centralized IT team simply operates the service of directory, metadirectory, web interface for administration, and related components. Allowing the application or business process owner to create, manage and delegate groups supports a much more scalable approach to the administration of access rights. In a metadirectory environment, these roles or groups could also be "pushed" or synchronized with other platforms. For example, groups can be synchronized with native operating systems such as

Microsoft Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

for use on an

access control list In computer security, an access-control list (ACL) is a list of permissions associated with a system resource (object or facility). An ACL specifies which users or system processes are granted access to resources, as well as what operations are ...

that protects a folder or file. With the metadirectory distributing groups, the central directory is the central repository of groups. Some enterprise applications (e.g.,

PeopleSoft PeopleSoft, Inc. was a company that provided human resource management systems (HRMS), financial management solutions (FMS), supply chain management (SCM), customer relationship management (CRM), and enterprise performance management (EPM) softw ...

) support LDAP groups inherently. These applications are capable of using LDAP to call the directory for its authorization activities. Web-based group management tools — used for delegated administration — therefore provide the following capabilities using a directory as the group repository: * Decentralized management of groups (roles) and access rights by business- or process-owners * Categorizing or segmenting users by characteristic, not by enumeration * Grouping users for e-mail, subscription, and access control * Reducing work process around maintenance of groups * Reproducing groups on multiple platforms and into disparate environments

Active Directory

Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...

Active Directory Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Direct ...

the administrative permissions this is accomplished using the Delegation of Control Wizard. Types of permissions include managing and viewing user accounts, managing groups, managing

group policy Group Policy is a feature of the Microsoft Windows NT family of operating systems (including Windows 8.1, Windows 10, Windows 11) that controls the working environment of user accounts and computer accounts. Group Policy provides centralized mana ...

links, generating Resultant Set of Policy, and managing and viewing InOrgPerson accounts. A use of Delegation of Control could be to give managers complete control of users in their own department. With this arrangement managers can create new users, groups, and computer objects, but only in their own OU.

Reading list

Delegating Authority in Active Directory
TechNet Magazine

WindowsSecurity.Com

References

{{Reflist Operating system technology Computer access control Decentralization Active Directory

Active Directory

See also

Reading list

References