may, 2013 delegated administration project excalibur miho hoshino, ww support readiness

18
May, 2013 Delegated Administration Project Excalibur Miho Hoshino, WW Support Readiness

Upload: hector-jennings

Post on 26-Dec-2015

221 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: May, 2013 Delegated Administration Project Excalibur Miho Hoshino, WW Support Readiness

May, 2013

Delegated AdministrationProject Excalibur

Miho Hoshino, WW Support Readiness

Page 2: May, 2013 Delegated Administration Project Excalibur Miho Hoshino, WW Support Readiness

© 2013 Citrix | Confidential – Do Not Distribute

Delegated administration in XenDesktop 5.x

• There are five types of built-in administrator:ᵒ Full Administrator

• Has full administration rolesᵒ Machine Administrator

• Owns the catalogsᵒ Assignment Administrator

• Can assign desktops to usersᵒ Read-only Administrator

• Can see all aspects of XenDesktop siteᵒ Help desk Administrator

• Can perform day-to-day monitoring and maintenance tasks

• No granular control for permission

Page 3: May, 2013 Delegated Administration Project Excalibur Miho Hoshino, WW Support Readiness

© 2013 Citrix | Confidential – Do Not Distribute

Delegated administration in Excalibur

• Provides an enterprise-class administrationmodel and granular permission configuration

• Uses role and object-based control

Page 4: May, 2013 Delegated Administration Project Excalibur Miho Hoshino, WW Support Readiness

© 2013 Citrix | Confidential – Do Not Distribute

Delegated administration in Excalibur

Scopes Roles

Full Administrator

Read Only Administrator

Help Desk Administrator

Machine Catalog Administrator

Delivery Group Administrator

Host Administrator

Custom

Objects can be in more than one scope

Object Object Object

Administrators

ObjectObject

Object

All

Win7 Sales

Object

ObjectObject

Full Admin

All

Help Desk

Win7

Machine Catalog

Delivery Group

Win7

An administrator is associated with one or more role and scope pairs

Sales

A role has defined permissions

Page 5: May, 2013 Delegated Administration Project Excalibur Miho Hoshino, WW Support Readiness

© 2013 Citrix | Confidential – Do Not Distribute

How to create new administrator

Select a role or create a new one

Click Finish to enable the new administrator

Click Create Administrator

Type the name of the administrator user account

or browse to it

Select a scope or create a new one

Page 6: May, 2013 Delegated Administration Project Excalibur Miho Hoshino, WW Support Readiness

© 2013 Citrix | Confidential – Do Not Distribute

Creating a new scope

Page 7: May, 2013 Delegated Administration Project Excalibur Miho Hoshino, WW Support Readiness

© 2013 Citrix | Confidential – Do Not Distribute

Creating a new role

Page 8: May, 2013 Delegated Administration Project Excalibur Miho Hoshino, WW Support Readiness

© 2013 Citrix | Confidential – Do Not Distribute

Tips: Assigning multiple role and scope pairs

Select and right-click an administrator

Select Edit Administrator

Click Add

Select a scope and a role

Page 9: May, 2013 Delegated Administration Project Excalibur Miho Hoshino, WW Support Readiness

© 2013 Citrix | Confidential – Do Not Distribute

Resultant set of permissions (RSOP)

Page 10: May, 2013 Delegated Administration Project Excalibur Miho Hoshino, WW Support Readiness

© 2013 Citrix | Confidential – Do Not Distribute

RSOP report

Page 11: May, 2013 Delegated Administration Project Excalibur Miho Hoshino, WW Support Readiness

© 2013 Citrix | Confidential – Do Not Distribute

Delegated administration component interactions

DDC server

cmdlet cmdlet

PowerShell Desktop Studio Director

Delegated Administration

ServiceOther

Services

Admin Config

SDK WCF/Soap Call

Inter-service Call

SQL DB Access

Cmdlets that change data ask the Delegated Administration

Service if the user has the proper permission to perform the

operation

Page 12: May, 2013 Delegated Administration Project Excalibur Miho Hoshino, WW Support Readiness

© 2013 Citrix | Confidential – Do Not Distribute

Delegated Administration Service

• Provides the core storage of delegated administration configuration

• Inherits many of the standard service behaviours of a normal XenDesktop Service:ᵒ Initial database creationᵒ Schema versioning and updatesᵒ Service status and registration with the Configuration Serviceᵒ A PowerShell admin serviceᵒ A number of PowerShell cmdlets for managing service lifecycle and registrationᵒ Support for an inter-service WCF interfaceᵒ Support for logging configuration changes

Page 13: May, 2013 Delegated Administration Project Excalibur Miho Hoshino, WW Support Readiness

© 2013 Citrix | Confidential – Do Not Distribute

Desktop Studio

Director

Active Directory

XenDesktop Services

Internal delegated administration objects

Right Role

Permission

OperationScope

AdministratorUser/Group

AccountKnown

Permission

KnownPermission

KnownOperation

ScopedObject

IndirectlyScoped Object

UnscopedObject

1 1 1 1

1

1

1**

**

**

*

**

Page 14: May, 2013 Delegated Administration Project Excalibur Miho Hoshino, WW Support Readiness

© 2013 Citrix | Confidential – Do Not Distribute

Internal delegated administration objectsDescriptions

Administrator Represents an individual person or a group of people identified by their Active Directory account

Role Represents a job function, and has defined permissions associated with it. Roles can be built-in or custom

Scope Represents a collection of objects

Right Rights determine what an administrator can do and where they can do it. They are expressed as a number of <role, scope> pairs associated with each administrator

Permission Represents a unit of functionality that an administrator can perform

Operation Operations are the indivisible unit of functionality

Page 15: May, 2013 Delegated Administration Project Excalibur Miho Hoshino, WW Support Readiness

© 2013 Citrix | Confidential – Do Not Distribute

PowerShell cmdlets for delegated administration

• Scope/Role/Permission/PermissionGroup/Administrator/Right cmdlets

• Get-AdminRevision

• Get-AdminEffectiveRight

• Get-AdminEffectiveAdministrator

• Test-AdminAccess

• Import-AdminRoleConfiguration

• Get-AdminRoleConfiguration

Page 16: May, 2013 Delegated Administration Project Excalibur Miho Hoshino, WW Support Readiness

© 2013 Citrix | Confidential – Do Not Distribute

Tracing delegated administration

XenDesktop 5.x Excalibur• DelegatedAdminDAL• DelegatedAdminFiltering• DelegatedAdminLog• DelegatedAdminLogging• DelegatedAdminSnapIn

Page 18: May, 2013 Delegated Administration Project Excalibur Miho Hoshino, WW Support Readiness

Work better. Live better.