Sun Java System Delegated Administrator 6.4 Administration Guide

Scenarios for Provisioning Users

Depending on your business needs, you can create a simple directory structure managed by a single administrator or a multi-tiered directory hierarchy in which provisioning and management tasks are delegated to lower-level administrators.

This section summarizes three scenarios of increasing complexity. It then describes the administrator roles and directory structures Delegated Administrator provides to support the requirements of these scenarios.

One-Tiered Hierarchy

In this scenario, a company or organization might support hundreds or thousands of employees or users. All users are grouped in a single organization. A single administrator role views and manages the entire group. There is no delegation of administrative tasks.

Figure 1–1 shows an example of the administrator role in a single-organization, one-tiered hierarchy.

Figure 1–1 Administrator Role in a One-Tiered Hierarchy

Administrator Role in a One-Tiered Hierarchy.

In this one-tiered hierarchy, the administrator is called the Top-Level Administrator (TLA).

In the example shown in Figure 1–1, the TLA directly manages and provisions the users (User1, User2, up to Usern).

If you have one organization in your directory, the TLA is the only administrator you need.

For more information, see the following sections:

Two-Tiered Hierarchy

In this scenario, a large company such as an Internet Service Provider (ISP) provides services to businesses. Each business has its own unique domain, which may contain thousands or tens of thousands of users.

Instead of relying on a single Top-Level Administrator (TLA) to manage and provision all the domains, this scenario supports the delegation of tasks to lower-level administrators.

In a two-tiered hierarchy, the directory contains multiple organizations. A separate organization is created for each hosted domain.

Each organization is assigned to an Organization Administrator (OA). The OA is responsible for the users in that organization. An OA cannot view or modify directory information outside the OA’s own organization.

Figure 1–2 shows an example of the administrator roles in a two-tiered hierarchy.

Figure 1–2 Administrator Roles in a Two-Tiered Hierarchy

Administrator roles in a two-tiered hierarchy.

In the example shown in Figure 1–2, the TLA creates and manages OA1, OA2, up to OAn. Each OA manages the users in one organization.

If you need multiple organizations in your directory, you should create the TLA and OAs to administer the organizations and their users.

For more information, see the following sections:

Three-Tiered Hierarchy

In this scenario, a company such as an ISP offers services to hundreds or thousands of small businesses, each of which requires its own organization.

The ISP may support millions of end-users requiring mail services. Moreover, the ISP may work with third-party resellers who manage the end-user businesses.

Each day, dozens of new organizations might have to be added to the directory.

In a two-tiered hierarchy, the TLA would have to create all these new organizations.

In a three-tiered hierarchy, management tasks are delegated to a second level of administrators. This second level of delegation can ease the management of a large customer base supported by a large LDAP directory.

To support this hierarchy, Delegated Administrator introduces a new role, the Service Provider Administrator (SPA).

The SPA’s scope of authority lies between that of the Top-Level Administrator (TLA) and the Organization Administrator (OA).

Figure 1–3 shows an example of the administrator roles in a three-tiered hierarchy.

Figure 1–3 Administrator Roles in a Three-Tiered Hierarchy

Administrator roles in a three-tiered hierarchy.

In a three-tiered hierarchy, the TLA delegates administrative authority to Service Provider Administrators (SPAs). The SPAs can create subordinate organizations for new customers and assign Organization Administrators (OAs) to manage users in those organizations.

If you need multiple organizations that are themselves divided into subgroups or organizations, you can use a three-tiered hierarchy that implements the TLA, SPA, and OA roles.

For information about the SPA role, see Appendix A, Service Provider Administrator and Service Provider Organizations.