Delegate administrator permissions
By assigning specific security management permissions to an administrator's user account,
you can delegate various security management activities to that administrator. For example, you
could set up one administrator who would only have the ability to reset passwords for users, another
who could lock and unlock users, and a third who could create users and associate them to user
groups and assign them role templates.
For more information about entity groups, see Security context points). If there are child groups under a parent group, the administrator can delegate an administrator for each child group as well.
Administrators do not have to be members of groups for which they perform administrative tasks. By default, only the Super Administrator has Read and Write access to objects in the system. Delegating administration responsibilities to a user on a security domain, does not automatically grant Read and Write access to objects under the corresponding entity.
Important:
- You can only assign those permissions that you have to other administrators.
- If you disassociate an administrator from a security domain or organizational group, all user management privileges (such as manage users, lock/unlock users, reset passwords, enable/disable users, assign roles) are retained by that administrator and are not revoked.
Example
You want to designate Mary Smith as an administrator who can reset passwords for any users. You would assign the Reset Password permission to Mary Smith.
Note:
- When administrator permissions are assigned to a user, the name of that user is no longer displayed in the user selector list. To modify permissions for an administrator, see Modifying administrator permissions.
- Security domain groups are not displayed in the User/Group selector list.
Note: Administrators with Settings application permission can configure the
behavior of some user-provisioning functions. For more information, see User provisioning settings.