The SPA’s scope of authority lies between that of the Top-Level Administrator (TLA) and the Organization Administrator (OA).
This second level of delegation can ease the management of a large customer base supported by a large LDAP directory. For example, an ISP may offer services to hundreds or thousands of small businesses, each of which requires its own organization. Each day, dozens of new organizations might have to be added to the directory.
If you used a two-tiered hierarchy, the TLA would have to create all these new organizations. Now the TLA can delegate these tasks to SPAs.
The SPAs can create subordinate organizations for new customers and assign OAs to manage users in those organizations.
Figure A–1 shows a logical view of a sample three-tiered organizational hierarchy.
The example in Figure A–1 shows one provider organization. However, a directory can contain multiple provider organizations.
In this example, administrative tasks are delegated as follows:
The SPA has the authority to manage the VIS provider organization and all organizations under it. The SPA role is assigned to user1 in the DEF organization.
The Organization Administrator named OA1 manages DEF, a shared organization. This OA role is assigned to user2 in the DEF organization.
OA2 manages HIJ, a shared organization. This OA role is assigned to user4 in the HIJ organization.
OA3 manages SESTA, a full organization. This OA role is assigned to user1 in the SESTA organization.
SESTA is a full organization and has its own unique namespace. user1 in SESTA (in the sesta.com domain) has a unique user ID.
For definitions of provider and subordinate organizations, see Organizations Managed by the Service Provider Administrator.
Create, delete, and modify shared and full organizations in the provider organization in which the SPA has administrative authority.
In the example shown in Figure A–1, the SPA for the VIS provider organization can
Modify or delete the DEF, HIJ, and SESTA organizations
Create additional organizations under the VIS provider organization.
Create, delete, and modify users in any organization under the provider organization.
Create, delete, and modify groups in any organization under the provider organization.
Create, delete, and modify Calendar resources in any organization under the provider organization.
Assign OA roles to users.
For example, in the sample organization shown in Figure A–1, the SPA could assign an OA role to user2 in the SESTA organization. user2 could then manage users in the SESTA organization.
The SPA also can remove the OA role from a user.
Assign the SPA role to other legitimate users under the provider organization (and remove the SPA role).
Allocate service packages to organizations.
The SPA can assign specified types of service packages to an organization and determine the maximum number of each package that can be used in that organization.
For example, the SPA could assign the following service packages:
In the DEF organization:
1,000 gold packages 500 platinum packages
In the HIJ organization:
2,500 topaz packages 500 platinum packages 500 emerald packages 1,000 ruby packages
In the SESTA organization:
2,000 silver packages 1,500 gold packages 100 platinum packages
The SPA can use the Delegated Administrator console to perform these tasks. In this release, the Delegated Administrator utility does not include command options to perform these tasks.
The TLA can modify or delete any existing shared organization or full organization. The TLA also can manage users in those organizations.
The TLA can remove the SPA role from a user but cannot assign the SPA role through the console. For a list of constraints in this release of Delegated Administrator, see Considerations for This Release.
In the example shown in Figure A–1, assume you need to create an SPA for the provider organization named VIS. You could assign the SPA role to user1 in the organization DEF.
The SPA must reside in a subordinate organization because a provider organization node does not contain any users.
Thus, before a provider organization can be managed by an SPA, at least one organization must be created under it. This organization should be designated to hold users who are assigned the SPA role. For more information, see Creating a Provider Organization and Service Provider Administrator.
In this release of Delegated Administrator, you cannot use the Delegated Administrator console or utility to create an SPA or a provider organization.
To create an SPA or provider organization, you must manually modify the custom service-provider template, da.provider.skeleton.ldif.
For instructions on using the custom service-provider template to perform these tasks, see Creating a Provider Organization and Service Provider Administrator, later in this appendix.