Download full document:

# about_AdminDelegatedAdminSnapIn

TOPIC

about_AdminDelegatedAdminSnapin

SHORT DESCRIPTION

The Delegated Administration Service PowerShell snap-in provides 
administrative functions for the Delegated Administration Service.

COMMAND PREFIX

All commands in this snap-in have the noun prefixed with 'Admin'.

LONG DESCRIPTION

The Delegated Administration Service PowerShell snap-in enables both local 
and remote administration of the Delegated Administration Service.

The Delegated Administration Service (or DAS for short) stores information 
about Citrix administrators and the rights they have. Services in the 
XenDesktop deployment use the DAS to determine whether a particular user 
has the privilege to perform an operation or not.

The snap-in provides storage and configuration of these entities:

Administrators 
    Each administrator object represents an individual person or a group 
    of people identified by their Active Directory account. 
    Administrators can be enabled and disabled.

    The effective rights that a user has is the union of any rights 
    that they have by looking at their Active Directory group membership. 
    Disabled administrator entries are ignored for this calculation.

    Once a site is setup, there must always be a full administrator and 
    the Delegated Administration snap-in rejects requests to remove or 
    disable the last full administrator.

Roles 
    A role represents a job function. That is, anyone with a given role 
    is expected to be able to use or perform the tasks, wizards, and 
    actions associated with that role. Administrators may have multiple 
    roles for a particular site.

    Some roles are built-in, and some editions of the product allow custom 
    roles to be created with different combinations of permissions.

Scopes 
    Scopes represent a collection of objects, and are used to group 
    objects for administrative purposes in a way that is relevant to the 
    organisation. They can be used to represent both hierarchical and 
    non-hierarchical relationships.

    Objects can exist in multiple scopes at once. You may find it 
    easier to think of scopes as labels, or a non-exclusive grouping such as 
    a play-list.

    All objects are implicitly in the built-in 'All' scope.

    Some objects are not scoped, and access to them is through either the 
    'All' scope or indirectly through a scoped object. For example 
    sessions are not directly scoped but can be accessed using the 
    scope of the desktop group.

    The DAS stores information about scopes, but the mapping between 
    scopes and objects is stored and updated using the PowerShell 
    snap-ins of each corresponding service. For example, Delivery Group 
    scopes are managed using the Broker PowerShell snap-in.

Rights 
    Rights determine what an administrator can do and where they can do 
    it. They are expressed as a number of <role, scope> pairs associated 
    with each administrator.

    To gain access to any particular object, a person must match an 
    administrator object that has an appropriate right that allows the 
    required operation in a scope that the object is a member of.

Permissions 
    Each task, wizard or action in the Citrix Studio or Director consoles 
    represents a unit of functionality that an administrator can perform. 
    Permissions are expressed at a high level and generally correspond 
    directly to the labels in the consoles. For example: "Edit catalog", 
    or "Create delivery group".

Permission groups: 
    Permissions are grouped into related functionality when displayed 
    by the console.

Operations 
    Operations are the indivisible unit of functionality that each 
    XenDesktop service can perform, and usually correspond to 
    individual cmdlets. Internally, each permission requires a number 
    of operations to be performed, possibly by different services.