Sun Java System Delegated Administrator 6.4 Administration Guide

Service Provider Administrator

The Delegated Administrator console lets you delegate administrative tasks to a new role, the Service Provider Administrator (SPA), who can create and manage new types of subordinate organizations.

The SPA’s scope of authority lies between that of the Top-Level Administrator (TLA) and the Organization Administrator (OA).

With the SPA, you can create a three-tiered administrative hierarchy, as described in Three-Tiered Hierarchy in Chapter 1, Delegated Administrator Overview.

This second level of delegation can ease the management of a large customer base supported by a large LDAP directory. For example, an ISP may offer services to hundreds or thousands of small businesses, each of which requires its own organization. Each day, dozens of new organizations might have to be added to the directory.

If you used a two-tiered hierarchy, the TLA would have to create all these new organizations. Now the TLA can delegate these tasks to SPAs.

The SPAs can create subordinate organizations for new customers and assign OAs to manage users in those organizations.

Figure A–1 shows a logical view of a sample three-tiered organizational hierarchy.

Figure A–1 Directory Using a Service Provider Administrator: Logical View

Directory using a Service Provider Administrator: logical

The example in Figure A–1 shows one provider organization. However, a directory can contain multiple provider organizations.

In this example, administrative tasks are delegated as follows:

For definitions of provider and subordinate organizations, see Organizations Managed by the Service Provider Administrator.

Service Provider Administrator Role

The SPA can perform the following tasks:

Note –

The TLA can modify or delete any existing shared organization or full organization. The TLA also can manage users in those organizations.

The TLA can remove the SPA role from a user but cannot assign the SPA role through the console. For a list of constraints in this release of Delegated Administrator, see Considerations for This Release.

For a complete description of the administrative tasks performed by the TLA, see Administrator Roles and the Directory Hierarchy in Chapter 1, Delegated Administrator Overview.

Assigning the SPA Role to a User

The SPA role must be assigned to a user in an organization designated for SPAs and subordinate to the provider organization that the SPA will manage.

In the example shown in Figure A–1, assume you need to create an SPA for the provider organization named VIS. You could assign the SPA role to user1 in the organization DEF.

The SPA must reside in a subordinate organization because a provider organization node does not contain any users.

Thus, before a provider organization can be managed by an SPA, at least one organization must be created under it. This organization should be designated to hold users who are assigned the SPA role. For more information, see Creating a Provider Organization and Service Provider Administrator.

Considerations for This Release

In this release of Delegated Administrator, you cannot use the Delegated Administrator console or utility to create an SPA or a provider organization.

To create an SPA or provider organization, you must manually modify the custom service-provider template, da.provider.skeleton.ldif.

For instructions on using the custom service-provider template to perform these tasks, see Creating a Provider Organization and Service Provider Administrator, later in this appendix.