In delegated administration, we distinguish between overall user administrators and delegated user administrators:
Overall User Administrators can add, modify, and delete users of all companies. They can create delegated user administrators and assign them appropriate roles and permissions. In addition the following tasks can only be performed by an overall user administrator:
Role management with permissions to assign all roles to all users and groups
Import and export of user data
User management engine (UME) configuration
Consistency check and repair tools
In the portal, overall user administrators are all administrators who are assigned to the Super Administration or User Administration role. In all other cases, overall user administrators must belong to a role to which the Manage_All action is assigned.
Delegated User Administrators can add, modify, and delete users that belong to the same company as the delegated user administrator. When they search for users, only users in their company are displayed. They cannot perform any actions involving groups.
In the portal, delegated user administrators can only assign roles to their company users. They cannot assign roles to groups. They can only assign portal roles for which they have the Role Assigner permission. They do not need to have any Administrator or End User permissions for the role.
For more information about the Role Assigner permission, see the portal documentation.
In the portal, delegated user administrators are all administrators who are assigned to the DelegatedUser Admin role. In all other cases, delegated user administrators must belong to a role to which the Manage_Users action is assigned.
You can also create a delegate password administrator by assigning the action Manage_User_Passwords.
Do not assign the Manage_Roles action to a delegated user administrator. This action allows users to assign roles using the UME Web-based tool. Since the Web-based tool does not check for the Role Assigner portal-permission, users can assign themselves any role if they have the Manage_Roles action. For example, a delegated user administrator could assign him or herself the Administrator role and would then have full administrator authorizations.
Each user can only belong to one company. This means that each delegated user administrator can only belong to one company as well, therefore he or she cannot administer more than one company.
It is not possible to have a hierarchy of companies. As a result, you cannot have a hierarchy of user administrators.