Delegated Administration

Members of the Sundial Administrators group have a role that permits them the global ability to administrate all aspects of Sundial. Through delegated administration it is possible for Sundial administrators to distribute select administrative privileges to users or groups who are not members of the Administrators group. Such delegation of administrative privileges provides select users and groups a limited ability to administrate select aspects of Sundial.

When a user is granted one or more administrative privileges they are offered access to appropriate areas of the Administration Module based upon their administrative privilege(s). For example, if a user is able to administer a group, they are able to access the Group Administration Area of the Administrative Module.

Classes of Administrative Privileges That May Be Delegated

There are two classes of delegatable administrative priviliges:

• Object Creation Privileges: Delegated to select Sundial users, these privileges include the ability to create new users, groups, event types, target audiences, event sponsors, or site collections & sites.
• Object Administration Privileges: These privileges permit delegated users and groups the ability to fully manage select users, groups, event types, target audiences, event sponsors, or site collections & sites.

As with other privileges granted within Sundial, object creation and administration privileges delegated take effect when one of the following occur:

• the user next logs into Sundial or
• the Sundial permissions refresh period elapses. By default, permissions are refreshed every 15 minutes.

When a user with an object creation privilege creates a new object, they are provided object administration privileges on the created object.

Object Creation Privileges

Creation privileges may be delegated to individual Sundial users by members of the Sundial Administrators group.

How to Delegate Object Creation Privileges

To delegate one or more privileges to a user, do the following:

• Open Administrative Module > User Administration.
• Find the user to whom you wish to confer privileges and open their profile by click their name within the action list.
• On the Delegatable Administrative Privileges area of the Details tab, select the privileges you wish to grant the user.
• Click Save.

The Delegatable Administrative Privileges area within User Administration

Delegatable creation privileges permit their holder the ability to create a new object (e.g. user, security group, event type, etc.) and then administer this object. The creator of an object holds the "Administrator" role which provides them object administration privileges.

Object Administration Privileges

The ability to administrate a given object may be delegated to security groups by a Sundial administrator or user with the Administrator role for that object. A security group is said to possess object administration privileges for an entity if they have been given the administrator role or the administrate privilege.

Object administration privileges permit a security group to do as follows for a given object:

• add security groups and assign these groups privileges
• modify the privileges of existing security groups
• remove security groups and their privileges
• edit the object's properties & behaviors (e.g. rename the object)
• modify the object's relationships with other objects
• delete the object

An object's Administrator can manage the object until such time as a Sundial administrator or another user who holds object administration privileges for a given entity revokes the creator's object administration privileges.

How to Delegate Object Administration Privileges

To delegate object administration privileges to a security group, do the following:

• Open the appropriate object management tool of the Administrative Module.
• Open the object manager for which you wish to delegate administrative privileges.
• On the appropriate object manager screen (see chart below), find the security group to which you wish to delegate administrative privileges within that screen's action list.
  
  

  Object	Screen
  Groups	Members
  Audiences	Affiliates
  Types	Groups
  Sponsors	Groups
  Sites	Groups

• Click the "Administrator" role or "Administrative" privilege checkbox for that security group.
• Click Save Selected in the actions list.

Chucky's Group has been delegated object administration prvileges

Implications of Delegated Administrative Privileges

Through the delegation of administrative privileges, it is possible to create a calendar system within a calendar system.

Say a Sundial administrator were to create a new user account for a person, Ms. Local Administrator, and granted her all available object creation privileges. With these delegated administrative privileges, Ms. Local Administrator, could establish a virtual calendar system of users, groups, event types, target audiences, site collections, and event sponsors. Assuming the users of this virtual calendar system were not members of groups outside those created by Ms. Local Administrator, this virtual calendar system could essentially operate independently of the larger calendar system.

Until such time as one of the following occurred, the objects within Ms. Local Administrator's virtual calendar system would be independent of the larger calendar system:

• Ms. Local Administrator or one of her users were given membership within a security group outside of the virtual calendar system.
• An object within Ms. Local Administrator's virtual calendar system entered into a relationship within an object external to her system.