Citrix Virtual Apps and Desktops

Delegated administration

Note:

You can manage your Citrix Virtual Apps and Desktops deployment using two management consoles: Web Studio (web-based) and Citrix Studio (Windows-based). This article covers only Web Studio. For information about Citrix Studio, see the equivalent article in Citrix Virtual Apps and Desktops 7 2212 or earlier.

The delegated administration model offers the flexibility to match how your organization wants to delegate administration activities, using role and object-based control. Delegated administration accommodates deployments of all sizes, and allows you to configure more permission granularity as your deployment grows in complexity. Delegated administration uses three concepts: administrators, roles, and scopes.

  • Administrators: An administrator represents a person or a group of people identified by their Active Directory account. Each administrator is associated with one or more role and scope pairs.

  • Roles: A role represents a job function, and has defined permissions associated with it. For example, the Delivery Group Administrator role has permissions such as ‘Create Delivery Group’ and ‘Remove Desktop from Delivery Group.’ An administrator can have multiple roles for a site, so a person can be a Delivery Group Administrator and a Machine Catalog Administrator. Roles can be built-in or custom.

    The built-in roles are:

    Role Permissions
    Full Administrator Can perform all tasks and operations. A Full Administrator is always combined with the All scope.
    Read Only Administrator Can see all objects in specified scopes in addition to global information, but cannot change anything. For example, a Read Only Administrator with Scope=London can see all global objects (such as Configuration Logging) and any London-scoped objects (for example, London Delivery Groups). However, that administrator cannot see objects in the New York scope (assuming that the London and New York scopes do not overlap).
    Help Desk Administrator Can view Delivery Groups, and manage the sessions and machines associated with those groups. Can see the Machine Catalog and host information for the Delivery Groups being monitored. Can also perform session management and machine power management operations for the machines in those Delivery Groups.
    Machine Catalog Administrator Can create and manage Machine Catalogs and provision the machines into them. Can build Machine Catalogs from the virtualization infrastructure, Provisioning Services, and physical machines. This role can manage base images and install software, but cannot assign applications or desktops to users.
    Delivery Group Administrator Can deliver applications, desktops, and machines; can also manage the associated sessions. Can also manage application and desktop configurations such as policies and power management settings.
    Host Administrator Can manage host connections and their associated resource settings. Cannot deliver machines, applications, or desktops to users.

    In certain product editions, you can create custom roles to match the requirements of your organization and delegate permissions with more detail. You can use custom roles to allocate permissions at the granularity of an action or task in a console.

  • Scopes: A scope represents a collection of objects. Scopes are used to group objects in a way that is relevant to your organization (for example, the set of Delivery Groups used by the Sales team). Objects can be in more than one scope; you can think of objects being labeled with one or more scopes. There is one built-in scope: ‘All,’ which contains all objects. The Full Administrator role is always paired with the All scope.

Example

Company XYZ decided to manage applications and desktops based on their department (Accounts, Sales, and Warehouse) and their desktop operating system (Windows 7 or Windows 8). The administrator created five scopes and then labeled each Delivery Group with two scopes: one for the department where they are used and one for the operating system they use.

The following administrators were created:

Administrator Roles Scopes
domain/fred Full Administrator All (the Full Administrator role always has the All scope)
domain/rob Read Only Administrator All
domain/heidi Read Only Administrator, Help Desk Administrator All Sales
domain/warehouseadmin Help Desk Administrator Warehouse
domain/peter Delivery Group Administrator, Machine Catalog Administrator Win7
  • Fred is a Full Administrator and can view, edit, and delete all objects in the system.
  • Rob can view all objects in the site but cannot edit or delete them.
  • Heidi can view all objects and can perform help desk tasks on Delivery Groups in the Sales scope. This allows her to manage the sessions and machines associated with those groups; she cannot make changes to the Delivery Group, such as adding or removing machines.
  • Anyone who is a member of the warehouseadmin Active Directory security group can view and perform help desk tasks on machines in the Warehouse scope.
  • Peter is a Windows 7 specialist and can manage all Windows 7 Machine Catalogs and can deliver Windows 7 applications, desktops, and machines, regardless of which department scope they are in. The administrator considered making Peter a Full Administrator for the Win7 scope. However, she decided against this, because a Full Administrator also has full rights over all objects that are not scoped, such as ‘Site’ and ‘Administrator.’

How to use delegated administration

Generally, the number of administrators and the granularity of their permissions depends on the size and complexity of the deployment.

  • In small or proof-of-concept deployments, one or a few administrators do everything. There is no delegation. In this case, create each administrator with the built-in Full Administrator role, which has the All scope.
  • In larger deployments with more machines, applications, and desktops, more delegation is needed. Several administrators might have more specific functional responsibilities (roles). For example, two are Full Administrators, and others are Help Desk Administrators. Also, an administrator might manage only certain groups of objects (scopes), such as machine catalogs. In this case, create new scopes, plus administrators with one of the built-in roles and the appropriate scopes.
  • Even larger deployments might require more (or more specific) scopes, plus different administrators with unconventional roles. In this case, edit or create more scopes, create custom roles, and create each administrator with a built-in or custom role, plus existing and new scopes.

For flexibility and ease of configuration, you can create scopes when you create an administrator. You can also specify scopes when creating or editing Machine Catalogs or connections.

Create and manage administrators

When you create a site as a local administrator, your user account automatically becomes a Full Administrator with full permissions over all objects. After a site is created, local administrators have no special privileges.

The Full Administrator role always has the All scope; you cannot change this.

By default, an administrator is enabled. Disabling an administrator might be necessary if you are creating the administrator now, but that person won’t start administration duties until later. For existing enabled administrators, you might want to disable several of them while you are reorganizing your object/scopes, then re-enable them when you are ready to go live with the updated configuration. You cannot disable a Full Administrator if it would result in there being no enabled Full Administrator. The enable/disable check box is available when you create, copy, or edit an administrator.

When you delete a role/scope pair while copying, editing, or deleting an administrator, it deletes only the relationship between the role and the scope for that administrator. It does not delete either the role or the scope. It also does not affect any other administrator who is configured with that role/scope pair.

To create and manage administrators, follow these steps:

  1. Sign in to Web Studio, click Administrators in the left pane, and then click the Administrators tab.

  2. Follow the instructions for the task you want to complete:

    • Create an administrator: Click Create Administrator in the action bar. Type or browse to the user account name, select or create a scope, and then select a role. The new administrator is enabled by default; you can change this.
    • Copy an administrator: Select the administrator and then click Copy Administrator in the action bar. Type or browse to the user account name. You can select and then edit or delete any of the role/scope pairs, and add new ones. The new administrator is enabled by default; you can change this.
    • Edit an administrator: Select the administrator and then click Edit Administrator in the action bar. You can edit or delete any of the role/scope pairs, and add new ones.
    • Delete an administrator: Select the administrator and then click Delete Administrator in the action bar. You cannot delete a Full Administrator if it would result in there being no enabled Full Administrator.

The upper pane displays the administrators that you created. Select an administrator to view its details in the lower pane. The Warnings column indicates whether the role and scope pairs associated with the administrator contain unusable roles or scopes. The following warning message appears if an associated role and scope pair contains unusable roles or scopes:

  • Associated role or scope not usable

Important:

A warning message appears only when an associated role and scope pair contains unusable roles or scopes or both.

To remove the role and scope pair from the administrator, complete one of the following steps:

  • Delete the role and scope pair.
    1. In the action bar, click Edit Administrator.
    2. In the Administrator Name and Details window, select the role and scope pair and then click Delete.
    3. Click Save to exit.
  • Delete the administrator.
    1. In the action bar, click Delete Administrator.
    2. In the confirmation window, Click Delete.

Create and manage roles

When administrators create or edit a role, they can enable only the permissions that they themselves have. This prevents administrators from creating a role with more permissions than they currently have and then assigning it to themselves (or editing a role that they are already assigned).

Role names can contain up to 64 Unicode characters; they cannot contain: backslash, forward slash, semicolon, colon, pound sign, comma, asterisk, question mark, equal sign, left or right arrow, pipe, left or right bracket, left or right parenthesis, quotation marks, or apostrophe. Descriptions can contain up to 256 Unicode characters.

You cannot edit or delete a built-in role. You cannot delete a custom role if any administrator is using it.

Note:

Only certain product editions support custom roles. Only editions that support custom roles have related entries in the action bar.

To create and manage roles, follow these steps:

  1. Sign in to Web Studio, click Administrators in the left pane, and then click the Roles tab.

  2. Follow the instructions for the task you want to complete:

    • View role details: Select the role. The lower pane lists the object types and associated permissions for the role. Click the Administrators tab in the lower pane to view a list of administrators who currently have this role.
    • Create a custom role: Click Create Role in the action pane. Enter a name and description. Select the object types and permissions.
    • Copy a role: Select the role, and then click Copy Role in the action bar. Change the name, description, object types, and permissions, as needed.
    • Edit a custom role: Select the role, and then click Edit Role in the action bar. Change the name, description, object types, and permissions, as needed.
    • Delete a custom role: Select the role, and then click Delete Role in the action bar. When prompted, confirm the deletion.

Create and manage scopes

When you create a site, the only available scope is the ‘All’ scope, which cannot be deleted.

You can create scopes using the following procedure. You can also create scopes when you create an administrator; each administrator must be associated with at least one role and scope pair. When you are creating or editing desktops, machine catalogs, applications, or hosts, you can add them to an existing scope. If you do not add them to a scope, they remain part of the ‘All’ scope.

Site creation cannot be scoped, nor be delegated administration objects (scopes and roles). However, objects you cannot scope are included in the ‘All’ scope. (Full Administrators always have the All scope.) Machines, power actions, desktops, and sessions are not directly scoped. Administrators can be allocated permissions over these objects through the associated machine catalogs or delivery groups.

Rules for creating and managing scopes:

  • Scope names can contain up to 64 Unicode characters. Scope names cannot include: backslash, forward slash, semicolon, colon, pound sign, comma, asterisk, question mark, equal sign, left arrow, right arrow, pipe, left or right bracket, left or right parenthesis, quotation marks, or apostrophe.

  • Scope descriptions can contain up to 256 Unicode characters.

  • When you copy or edit a scope, keep in mind that removing objects from the scope can make those objects inaccessible to the administrator. If the edited scope is paired with one or more roles, ensure that the scope updates do not make any role/scope pair unusable.

To create and manage scopes, follow these steps:

  1. Sign in to Web Studio, click Administrators in the left pane, and then click the Scopes tab.

  2. Follow the instructions for the task you want to complete:

    • Create a scope: Click Create new Scope in the action bar. Enter a name and description. To include all objects of a particular type (for example, Delivery Groups), select the object type. To include specific objects, expand the type and then select individual objects (for example, Delivery Groups used by the Sales team).
    • Copy a scope: Select the scope and then click Copy Scope in the actions bar. Enter a name and description. Change the object types and objects, as needed.
    • Edit a scope: Select the scope and then click Edit Scope in the action bar. Change the name, description, object types, and objects, as needed.
    • Delete a scope: Select the scope and then click Delete Scope in the action bar. When prompted, confirm the deletion.

Set up tenant management

Set up tenant management to create management partitions within a single Citrix Virtual Apps and Desktops site. Each tenant has segregated resources and configurations such as machine catalogs and delivery groups. Administrators with access to a specific tenant can manage only resources and configurations associated with that tenant. Example use cases include corporates with different business silos (independent divisions or separate IT management teams) in a single site.

At a high level, the workflow for setting up tenant management includes:

  1. Create tenants
  2. Add administrators for tenants

Create tenants

Create a tenant by creating a tenant scope. Detailed steps are as follows:

  1. Sign in to Web Studio, click Administrators in the left pane, and then click the Scopes tab.
  2. Click *Create Scope** to start tenant creation.
  3. Enter the following details for the tenant scope:
    1. Type a descriptive name for the scope. This name also serves as the tenant’s identifier.
    2. (Optional) Enter a brief description.
    3. Select Tenant scope.
    4. If necessary, select the objects associated with the tenant. You can also add objects to tenant scopes when creating or managing objects.
    5. Click OK to complete the creation.

After completion, you can see:

  • The new tenant scope record appears in the Scope list, identified as a Tenant in the Type column.
  • The scope name is shown in the All Tenants dropdown list located in the top right corner of Web Studio.

When working with a tenant scope, keep these considerations in mind:

  • The tenant property follows a hierarchical assignment order: Hosting > Machine Catalogs > Delivery Groups > Applications. Lower-level objects inherit the tenant property from higher-level objects. For example, when selecting a delivery group for a tenant scope, ensure that you also select the associated hosting and machine catalog. Otherwise, the delivery group cannot inherit the tenant’s property.
  • After creating a tenant scope, you can edit tenant assignments by modifying objects. When a tenant assignment is changed, it is still subject to the constraint that it must be assigned to the same tenants or to a subset of those tenants. However, lower-level objects are not reevaluated when tenant assignments change. Make sure that objects are properly restricted when you change tenant assignments. For example, if a machine catalog is available for TenantA and TenantB, you can create a delivery group for TenantA and one for TenantB. (TenantA and TenantB are both associated with that machine catalog.) You can then change the machine catalog to be associated only with TenantA. As a result, the delivery group associated with TenantB becomes invalid.

Add administrators for tenants

Add administrators for a tenant by assigning user accounts with administrator roles and tenants.

To add an administrator for a tenant, follow these steps:

  1. Sign in to Web Studio, click Administrators in the left pane, and then click the Administrators tab.
  2. Click Add Administrator, and follow these steps to complete:
    1. Type or browse to the user account name and click Next.
    2. Select Custom access and then select one or more roles (for example, Machine Catalog Administrator) as necessary.
    3. Click Edit scopes next to each role, change the scope from All to the desired tenant scope, and then click Save.
  3. Click Next.
  4. On the Review and confirm page, click Send invitation.

Create reports

You can create two types of delegated administration reports:

  • An HTML report that lists the role/scope pairs associated with an administrator, plus the individual permissions for each type of object (for example, delivery groups and machine catalogs). You generate this report from Web Studio.

    To create this report, follow these steps:

    1. Sign in to Web Studio, click Administrators in the left pane
    2. Select an administrator and then click Create Report in the action bar.

    You can also request this report when creating, copying, or editing an administrator.

  • An HTML or CSV report that maps all built-in and custom roles to permissions. You generate this report by running a PowerShell script named OutputPermissionMapping.ps1.

    To run this script, you must be a Full Administrator, a Read Only Administrator, or a custom administrator with permission to read roles. The script is located in: Program Files\Citrix\DelegatedAdmin\SnapIn\Citrix.DelegatedAdmin.Admin.V1\Scripts.

    Syntax:

    OutputPermissionMapping.ps1 [-Help] [-Csv] [-Path string] [-AdminAddress string] [-Show] [CommonParameters]

    Parameter Description
    -Help Displays script help.
    -Csv Specifies CSV output. Default = HTML
    -Path string Where to write the output. Default = stdout
    -AdminAddress string IP address or host name of the Delivery Controller to connect to. Default = localhost
    -Show (Valid only when the -Path parameter is also specified) When you write the output to a file, -Show causes the output to be opened in an appropriate program, such as a web browser.
    CommonParameters Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer, and OutVariable. For details, see the Microsoft documentation.

The following example writes an HTML table to a file named Roles.html and opens the table in a web browser.

& "$env:ProgramFiles\Citrix\DelegatedAdmin\SnapIn\
Citrix.DelegatedAdmin.Admin.V1\Scripts\OutputPermissionMapping.ps1"
-Path Roles.html –Show
<!--NeedCopy-->

The following example writes a CSV table to a file named Roles.csv. The table is not displayed.

& "$env:ProgramFiles\Citrix\DelegatedAdmin\SnapIn\
Citrix.DelegatedAdmin.Admin.V1\Scripts\OutputPermissionMapping.ps1"
–CSV -Path Roles.csv
<!--NeedCopy-->

From a Windows command prompt, the preceding example command is:

powershell -command "& '%ProgramFiles%\Citrix\DelegatedAdmin\SnapIn\
Citrix.DelegatedAdmin.Admin.V1\Scripts\OutputPermissionMapping.ps1'
-CSV -Path Roles.csv"
<!--NeedCopy-->
Delegated administration