ZCS Administrator Guide 8.0
ZCS Administrator Guide 8.0
Network Edition

Delegated Administration > Target Types for Granting Administrative Rights

Target Types for Granting Administrative Rights
Delegated administration provides a way to define access control limits on targets and grant rights to administrators to perform tasks on the target.
A target is a ZCS object on which rights can be granted. Each target is associated with a target type that identifies the type of access control entries you can grant on the target.
When selecting a target type for a target consider the following:
Target. Which specific target are you granting rights? For example, if the target type you select is “domain”, which domain do you mean? You specify a specific domain’s name (Target Name = example.com). Access Control
Entries (ACE) are granted on that target. An ACE is stored in an LDAP attribute on the target entry.
Is the right you want to grant applicable to the selected target type? A right can only be applied on the relevant target type. For example, creating an account can only apply to a domain target type, and the setting passwords can only apply to accounts and calendar resources target types. If a right is granted on a target that is not applicable to the target, the grant is ignored.
When defining rights, you need to consider the scope of targets in which granted rights are effective. For example, the right to set the password is applicable only to accounts and calendar resources, but if this right is included in the domain targets list of rights, it is effective for all accounts or calendar resource in the domain.
If the right is applicable to accounts and calendar resources, all accounts and calendar resources that are direct or indirect members of this distribution list.
When domain is the target, the rights are granted for all accounts, calendar resources and distribution lists in the domain.
Administrator rights for all entries in a target type. For example, you could add an ACE to the Global Access Control List (ACL) that grants the right to create accounts on domains.
Delegated administrator accounts that are granted this right can create accounts in all domains in the system.
Copyright © 2012 VMware Inc.