Delegated administration

Overview

With delegated administration in Citrix Cloud, you can configure the access permissions that all of your administrators need, in accordance with their role in your organization.

By default, administrators have full access. This setting enables access to all available customer administration and management functions in Citrix Cloud, plus all subscribed services. To tailor an administrator’s access:

• Configure custom access for an administrator’s general management permissions in Citrix Cloud.
• Configure custom access for subscribed services. In Citrix DaaS (formerly Citrix Virtual Apps and Desktops service), you can configure custom access when you invite a new administrator. You can change an administrator’s access later.

For information about displaying the list of administrators and defining access permissions, seeManage administrator access to Citrix Cloud.

This article describes how to configure custom access in Citrix DaaS.

Administrators, roles, and scopes

Delegated administration uses three concepts for custom access: administrators, roles, and scopes.

• Administrators:An administrator represents a person identified by their Citrix Cloud sign-in, which is typically an email address. Each administrator is associated with one or more role and scope pairs.

• Roles:A role represents a job function, and has permissions associated with it. These permissions allow certain tasks that are unique to Citrix DaaS. For example, the Delivery Group Administrator role has permission to create a delivery group and remove a desktop from a delivery group, plus other associated permissions. An administrator can have multiple roles. An administrator might be a Delivery Group Administrator and a Machine Catalog Administrator.

  Citrix DaaS提供了一些内置的自定义访问roles. You cannot change the permissions within these built-in roles, or delete those roles.

  You can create your own custom access roles to meet your organization’s requirements, and delegate permissions with more detail. Use custom roles to allocate permissions at the granularity of an action or task. You can delete a customized role only if it is not assigned to an administrator.

  You can change which roles an administrator has.

  A role is always paired with a scope.

• Scopes:A scope represents a collection of objects. Scopes are used to group objects in a way that is relevant to your organization. Objects can be in more than one scope.

  的re is one built-in scope: All, which contains all objects. Citrix Cloud and Help Desk administrators are always paired with the All scope. That scope cannot be changed for those administrators.

  When you invite (add) an administrator for this service, a role is always paired with a scope (by default, the All scope).

  You create and delete scopes in theManage > Full Configurationinterface. You assign role/scope pairs in the Citrix Cloud console.

  A scope is not shown for Full access administrators. By definition, those administrators can access all customer-managed Citrix Cloud and subscribed services objects.

Built-in roles and scopes

Citrix DaaS has the following built-in roles.

• Cloud Administrator:Can perform all tasks that can be initiated from Citrix DaaS.

  Can see theManageandMonitortabs in the console. This role is always combined with the All scope. You cannot change the scope.

  Do not be confused by this role’s name. A custom access Cloud Administrator cannot perform Citrix Cloud-level tasks (Citrix Cloud tasks require Full access).

• Read Only Administrator:Can see all objects in the specified scopes (in addition to global information), but cannot change anything. For example, a Read Only Administrator with a scope of London can see all global objects and any objects in the London scope (for example, London Delivery Groups). However, that administrator cannot see objects in the New York scope (assuming that the London and New York scopes do not overlap).

  Can see theManagetab in the console. Cannot see theMonitortab. You can change the scope.

• Help Desk Administrator:Can view delivery groups, and manage the sessions and machines associated with those groups. Can see the machine catalog and host information for the delivery groups being monitored. Can also perform session management and machine power management operations for the machines in those delivery groups.

  Can see theMonitortab in the console. Cannot see theManagetab. This role is always combined with the All scope. You cannot change the scope.

• Machine Catalog Administrator:Can create and manage machine catalogs and provision the machines into them. Can manage base images and install software, but cannot assign applications or desktops to users.

  Can see theManagetab in the console. Cannot see theMonitortab. You can change the scope.

• Delivery Group Administrator:Can deliver applications, desktops, and machines. Can also manage the associated sessions. Can manage application and desktop configurations such as policies and power management settings.

  Can see theManagetab in the console. Cannot see theMonitortab. You can change the scope.

• Host Administrator:Can manage host connections and their associated resource settings. Cannot deliver machines, applications, or desktops to users.

  Can see theManagetab in the console. Cannot see theMonitortab. You can change the scope.

• Session Administrator:Can view delivery groups being monitored and manage their associated sessions and machines.

  Can see theMonitortab in the console. Cannot see theManagetab. You cannot change the scope.

• Full Administrator:Can perform all tasks and operations. A full administrator is always combined withAll scope.

  Can see theManageandMonitortabs in the console. This role is always combined withAll scope. You cannot change the scope.

• Full Monitor Administrator:Has full access to all views and commands on theMonitortab.

  Can see theMonitortab in the console. Cannot see theManagetab. You cannot change the scope.

• Probe Agent Administrator:Has access to Probe Agent APIs.

  Can see theMonitortab in the console. Cannot see theManagetab. Has read-only access to theApplicationspage but cannot access any other views.

的following table summarizes which console tabs are visible for each custom access role in Citrix DaaS, and whether the role can be used with custom scopes.

Custom access administrator role	Can seeManagetab in console?	Can seeMonitortab in console?	Can role be used with custom scopes?
Cloud Administrator	Yes	Yes	No
Read Only Administrator	Yes	No	Yes
Help Desk Administrator	No	Yes	No
Machine Catalog Administrator	Yes	No	Yes
Delivery Group Administrator	Yes	No	Yes
Host Administrator	Yes	No	Yes
Session Administrator	No	Yes	No
Full Administrator	Yes	Yes	No
Full Monitor Administrator	No	Yes	No
Probe Agent Administrator	No	Yes	No

Note:

Custom access administrator roles (except Cloud Administrator and Help Desk Administrator) are not available for Citrix Virtual Apps and Desktops Standard for Azure, Virtual Apps Essentials, and Virtual Desktops Essentials.

To view the permissions associated with a role:

1. Sign in toCitrix Cloud. SelectMy Services > DaaSin the upper left menu.
2. FromManage > Full Configuration, selectAdministratorsin the left pane.
3. Select theRolestab.

4. 选择一个角色在中上窗格中。的Role definitiontab in the lower pane lists the categories and permissions. Select a category to see the specific permissions. TheAdministratorstab lists the administrators who have been assigned the selected role.

   Known issue: A Full Administrator entry does not display the correct set of permissions for a full access Citrix DaaS administrator.

How many administrators you need

的number of administrators and the granularity of their permissions generally depend on the size and complexity of the deployment.

• In small or proof of concept deployments, one or a few administrators do everything. There is no custom access delegation. In this case, each administrator has Full access, which always has the All scope.
• In larger deployments with more machines, applications, and desktops, more delegation is needed. Several administrators might have more specific functional responsibilities (roles). For example, two have Full access, and others are Help Desk Administrators. Also, an administrator might manage only certain groups of objects (scopes), such as machine catalogs in a particular department. In this case, create new scopes, plus administrators with the appropriate custom access role and scopes.

Administrator management summary

Setting up administrators for Citrix DaaS follows this sequence:

1. If you want the administrator to have a role other than a Full administrator (which covers all subscribed services in Citrix Cloud) or a built-in role,create a custom role.

2. If you want the administrator to have a scope other than All (and a different scope is allowed for the intended role, and has not already been created),create scopes.

3. From Citrix Cloud,invite an administrator. If you want the new administrator to have anything other than the default Full access, specify a custom access role and scope pair.

Later, if you want to change an administrator’s access (roles and scope), seeConfigure custom access.

Add an administrator

To add (invite) administrators, follow the guidance inAdd administrators to a Citrix Cloud account. A subset of that information is repeated here.

Important:

Do not confuse how “custom” and “custom access” are used.

• When creating administrators and assigning roles for Citrix DaaS in the Citrix Cloud console, the term “custom access” includes both the built-in roles and any additional custom roles that were created in the service’sManage > Full Configurationinterface.
• In the service’sManage > Full Configurationinterface, “custom” simply differentiates that role from a built-in role.

的general workflow for adding administrators is as follows:

1. Sign in toCitrix Cloudand then selectIdentity and Access Managementin the upper left menu.

2. On theIdentity and Access Managementpage, selectAdministrators. TheAdministratorstab lists all current administrators for the account.

3. On theAdministratorstab, select your identity type, enter the administrator’s email address, and then clickInvite.

• SelectFull accessif you want the administrator to have full access. In that way, the administrator can access all customer administrator functions in Citrix Cloud and in all subscribed services.
• SelectCustom accessif you want the administrator to have limited access. You can then select a custom access role and scope pair. In that way, the administrator has the intended permissions when signing in to Citrix Cloud.

1. ClickSend Invite. Citrix Cloud sends an invitation to the email address and adds the administrator to the list after the administrator completes onboarding.

When receiving the email, the administrator clicks theSign Inlink to accept the invitation.

For more information about adding administrators, seeManage Citrix Cloud administrators.

Alternatively, go toManage > Full Configuration > Administrators > Administratorsand clickAdd Administrator. You are directly taken toIdentity and Access Management > Administrators, which opens in a new browser tab. After you are finished adding administrators there, close the tab and return to the console to continue with your other configuration tasks.

创建and manage roles

When administrators create or edit a role, they can enable only the permissions that they themselves have. This control prevents administrators from creating a role with more permissions than they currently have and then assigning it to themselves (or editing a role that they are already assigned).

Custom role names can contain up to 64 Unicode characters. Names cannot contain: backslash, forward slash, semicolon, colon, pound sign, comma, asterisk, question mark, equal sign, left arrow, right arrow, pipe, left or right bracket, left or right parenthesis, quotation marks, and apostrophe.

Role descriptions can contain up to 256 Unicode characters.

1. Sign in toCitrix Cloudif you haven’t already. SelectMy Services > DaaSin the upper left menu.
2. FromManage > Full Configuration, selectAdministratorsin the left pane.
3. Select theRolestab.

4. Follow the instructions for the task you want to complete:

   • View role details:Select the role in the middle pane. The lower portion of the middle pane lists the object types and associated permissions for the role. Select theAdministratorstab in the lower pane to display a list of administrators who currently have this role.

   • 创建a custom role:Select创建Role在操作栏。Configure settings as follows:

     • Enter a name and description.
     • Configure console access. Determine which consoles are visible to the administrators. You can proceed without selecting any console. In that case, administrators with the role cannot accessManageandMonitorbut can access, view, or manage objects through SDKs and APIs.
     • Select the object types and permissions. To grant full access permission to an object type, select its check box. To grant permission at a granular level, expand the object type and then selectRead Onlyor individual objects underManagewithin the type.

     

   • Copy a role:Select the role in the middle pane and then selectCopy Role在操作栏。改变名称、描述object types, and permissions, as needed. When you’re done, selectSave.
   • Edit a custom role:Select the role in the middle pane and then selectEdit Role在操作栏。改变名称、描述object types, and permissions, as needed. You cannot edit a built-in role. When you’re done, selectSave.
   • Delete a custom role:Select the role in the middle pane and then selectDelete Role在操作栏。When prompted, confirm the deletion. You cannot delete a built-in role. You cannot delete a custom role if it is assigned to an administrator.

创建and manage scopes

By default, all roles have the All scope for their relevant objects. For example, a Delivery Group Administrator can manage all Delivery Groups. For some administrator roles, you can create a scope that allows that administrator role to access a subset of the relevant objects. For example, you might want a give a Machine Catalog Administrator access to only catalogs that contain a certain type of machines, rather than all catalogs.

• Full access administrators or custom access Cloud Administrators can create scopes for the Read Only Administrator, Machine Catalog Administrator, Delivery Group Administrator, and Host Administrator roles.
• Scopes cannot be created for Full access administrators, nor can they be created for Cloud Administrators or Help Desk Administrators. Those administrators always have the All scope.

Rules for creating and managing scopes:

• Scope names can contain up to 64 Unicode characters. Names cannot include: backslash, forward slash, semicolon, colon, pound sign, comma, asterisk, question mark, equal sign, left or right arrow, pipe, left or right bracket, left or right parenthesis, quotation marks, and apostrophe.
• Scope descriptions can contain up to 256 Unicode characters.
• When you copy or edit a scope, keep in mind that removing objects from the scope can make those objects inaccessible to an administrator. If the edited scope is paired with one or more roles, ensure that your scope updates do not make any role/scope pair unusable.

To create and manage scopes:

1. Sign in toCitrix Cloud. SelectMy Services > DaaSin the upper left menu.
2. FromManage > Full Configuration, selectAdministratorsin the left pane.
3. Select theScopestab.

4. Follow the instructions for the task you want to complete:

   • View scope details:Select the scope. The lower portion of the pane lists the objects and administrators that have that scope.
   • 创建一个范围:Select创建Scope在操作栏。Enter a name and description. The objects are listed by type, such as delivery group and machine catalog.
     • To include all objects of a particular type (for example, all delivery groups), select the check box for the object type.

     • To include individual objects within a type, expand the type and then select the check boxes for the objects (for example, specific delivery groups).

       Note:

       Application groups, delivery groups, or machine catalogs are displayed in folder structures that align with their management in DaaS. You can select a folder to select all its objects or expand a folder to select specific objects.

     • To create a tenant customer, select theTenant scopecheck box. If selected, the name you entered for the scope is the tenant name. For more information about the tenant scope, seeTenant management.

     When you’re done, selectOK.

     

   • Copy a scope:Select the scope in the middle pane and then selectCopy Scope在操作栏。Change the name, description. Change the object types and objects, as needed. When you’re done, selectSave.
   • Edit a scope:Select the scope in the middle pane and then selectEdit Scope在操作栏。改变名称、描述object types, and objects, as needed. When you’re done, selectSave.

   • Delete a scope:Select the scope in the middle pane and then select删除范围在操作栏。When prompted, confirm the deletion.

     You cannot delete a scope if it is assigned to a role. If you attempt to do this, an error message indicates that you do not have permission. In fact, the error occurs because the role/scope pair that uses this scope is assigned to an administrator. First, remove the role/scope pair assignment for all administrators who use it. Then delete the scope in theManageconsole.

After you create a scope, it appears in theCustom accesslist in the Citrix Cloud console. You can then select it when you assign a role to an administrator.

For example, let’s say you create a scope named CAD, and select the catalogs that contain machines suitable for CAD applications. When you return to the Citrix Cloud console and selectEdit scopesfor a role, the list of available scopes displays the CAD scope you created earlier.

的Cloud Administrator and Help Desk Administrator always have the All scope, so the CAD scope does not apply to them.

Tenant management

Using the Full Configuration management interface, you can create mutually exclusive tenants under a single Citrix DaaS. You achieve that by creating tenant scopes inAdministrators > Scopesand associating related configuration objects, such as machine catalogs and delivery groups, with those tenants. As a result, administrators with access to a tenant can manage only objects that are associated with the tenant.

This feature is useful, for example, if your organization:

• Has different business silos (independent divisions or separate IT management teams) or
• Has multiple on-premises sites and wants to maintain the same setup in a single Citrix DaaS instance.

的interface lets you filter tenant customers by name. By default, the interface displays information about all tenant customers. To display information about a specific tenant, select that tenant from the list in the upper-right corner.

创建a tenant customer

To create a tenant customer, selectTenant scopewhen creating a scope. By selecting the option, you create a unique scope type that applies to objects in scenarios where you share a Citrix DaaS instance between different business units— each of those business units are independent of the others. After you create a tenant scope, you cannot change the scope type.

的Scopestab displays all scope items. The only difference between regular scopes and tenant scopes is in theTypecolumn. A blank column field indicates a regular scope. You can click theTypecolumn to sort scope items if needed.

To see the resources (objects) attached to a scope, selectAdministratorsin the left pane. On theScopestab, select the scope and then selectEdit Scope在操作栏。

Tip:

的tenant property is assigned at a scope level. Machine catalogs, delivery groups, applications, and connections inherit the tenant property from the applicable scope.

When using a tenant scope, be aware of the following considerations:

• 的tenant property is assigned in the following order:Hosting > Machine Catalogs > Delivery Groups > Applications. Lower-level objects rely on higher-level objects to inherit the tenant property from. For example, when selecting a delivery group, you must select the associated hosting and machine catalog. Otherwise, the delivery group cannot inherit the tenant property.
• After creating a tenant scope, you can edit tenant assignments by modifying objects. When a tenant assignment is changed, it is still subject to the constraint that it must be assigned to the same tenants or to a subset of those tenants. However, lower-level objects are not reevaluated when tenant assignments change. Make sure that objects are properly restricted when you change tenant assignments. For example, if a machine catalog is available forTenantAandTenantB, you can create a delivery group forTenantAand one forTenantB. (TenantAandTenantBare both associated with that machine catalog.) You can then change the machine catalog to be associated only withTenantA. As a result, the delivery group associated withTenantBbecomes invalid.

Configure custom access for administrators

After creating tenant scopes, configure custom access for respective administrators. For more information, seeConfigure custom access for an administrator. Citrix Cloud sends an invitation to those customer administrators you specified and adds them to the list. When they receive the email, they clickSign Into accept the invitation. When they log on to theFull Configurationmanagement interface, they see resources that the assigned role and scope pairs contain.

Administrators with access to a tenant can manage only objects (for example, machine catalog, delivery group) that are associated with the tenant.

Configure custom access for an administrator

This feature lets you define access permissions of existing administrators or administrators you invite in a way that aligns with their role in your organization.

Changes you made to access permissions take 5 minutes to take effect. Logging out of the Full Configuration management interface and logging back on makes the changes take effect immediately. In scenarios where administrators still use the management interface after the changes take effect without reconnecting to it, a warning appears when they attempt to access items to which they no longer have permissions.

By default, when you invite administrators, they have Full access. Full access allows the administrator to manage all subscribed services and all Citrix Cloud operations (such as inviting more administrators). A Citrix Cloud deployment needs at least one administrator with Full access.

You can also grant custom access when you invite an administrator. Custom access allows the administrator to manage only the services and operations that you specify.

When you create a role or scope in Citrix DaaS, it appears in the custom access list and can be selected. When you select a role for an administrator, you can modify the scopes as needed to reflect the administrator’s role in your organization.

To configure custom access for an administrator:

1. Sign in toCitrix Cloud. SelectIdentity and Access Management>Administratorsin the upper left menu.

2. Locate the administrator you want to manage, select the ellipsis menu, and selectEdit access.

   

3. SelectCustom access.

   

4. UnderDaaS, select or clear the check marks next to one or more roles. To modify the scopes associated with an assigned role, selectEdit scopes.

   

   By default, each selected role has all scopes selected, as noted by theAll scopeslabel.

5. To specify the scopes for a selected role, selectCustom Scopeand then add or remove the appropriate scopes. By default, all custom scopes are added to a role. To remove a scope, click the X icon on the scope.

   

   Scopes that have been removed and are available to add to the role appear in a list below the scopes that are already added. To add a scope to the role, select the plus icon for the scope.

   

6. When you’re finished selecting scopes, selectApply.

7. SelectSaveto save the selected roles for the administrator.

Differences from on-premises Citrix Virtual Apps and Desktops

If you’re familiar with delegated administration in the on-premises Citrix Virtual Apps and Desktops product, Citrix DaaS version has several differences.

In Citrix Cloud:

• Administrators are identified by their Citrix Cloud login, rather than their Active Directory account. You can create role/scope pairs for Active Directory individuals, but not groups.
• Administrators are created, configured, and deleted in the Citrix Cloud console, rather than Citrix DaaS.
• Role/scope pairs are assigned to administrators in the Citrix Cloud console, rather than Citrix DaaS.
• Reports are not available. You can view administrator, role, and scope information in the service’sManage > Full Configurationinterface.

• 的custom access Cloud Administrator is similar to a Full Administrator in the on-premises version. Both have full management and monitoring permissions for the Citrix Virtual Apps and Desktops version being used.

  However, in Citrix DaaS, there is no named Full Administrator role. Do not equate “Full access” in Citrix Cloud with the “Full administrator” in on-premises Citrix Virtual Apps and Desktops. Full access in Citrix Cloud spans the platform-level domains, library, notifications, and resource locations, plus all subscribed services.

Differences from earlier Citrix DaaS releases

Before the release of the expanded custom access feature (September 2018), there were two custom access administrator roles: Full Administrator and Help Desk Administrator. When your deployment has delegated administration enabled (which is a platform setting), those roles are mapped automatically.

• An administrator who was formerly configured as a custom accessVirtual Apps and Desktops (or XenApp and XenDesktop) Service: Full Administratoris now a custom accessCloud Administrator.
• An administrator who was formerly configured as a custom accessVirtual Apps and Desktops (or XenApp and XenDesktop) Service: Help Desk Administratoris now a custom accessHelp Desk Administrator.

更多的信息

SeeDelegated administration and monitoringfor information about administrators, roles, and scopes used in the service’sMonitorconsole.