Skip to main content

Organizational Units and Delegated Administration

Introduction

When BlueMind handles a large population or has users over multiple sites, you might want to appoint administrators with delegated rights over a sub-segment of this population.

To facilitate this, BlueMind integrates a delegated administration functionality. It allows you to grant limited administration rights to administrators (who become delegated administrators). Delegated administration rights can be given to specific users selected according to certain criteria (job type, industry, geographical area, etc.).

This can be useful, for instance, for members of a regional branch: the main domain administrator appoints a delegated administrator for each branch's users. This delegated administrator will be able to manage users' access to applications and features (such as linked attachments), adjust mail quotas, fill in directory information cards, perform maintenance operations, etc.

Organization units

You can create organizational structures to enable different levels of delegated administration.

For instance, you can set up delegations:

By geographic area:

  • Root
    • Americas
      • America/North
        • Americas/North/Canada
        • Americas/North/Alaska
      • Americas/Pacific
        • Americas/Pacific/Hawaï
    • Europe
      • Europe/France
      • Europe/Italy
      • Europe/UK
        • Europe/UK/England
        • Europe/UK/Scotland

Depending on company hierarchy :

  • Root
    • IT
      • IT/Technical
      • IT/Support
    • Administration
      • Administration/Managers
      • Administration/Assistants
      • Administration/Commerce
        • Administration/Commerce/Sales
        • Administration/Commerce/Marketing
    • Production
      • Production/Management
      • Production/Technical

In both examples, administrators and target populations can be defined for each delegation level, individually or in groups.

Root

The "Root" unit is the parent of all other units : it is the BlueMind domain, it cannot be deleted and enables you to grant permissions for the whole domain. All users belong to this organizational unit by default.

The Root unit holds additional rights relative to other delegations for data that cannot be divided and applies to the whole domain: system configuration, server management, applications to assign to users, etc. Another consequence: daughter organizational units depend on the domain, so it is only possible to assign roles within the user's domain.

Access to administration console

The Root requires the "Admin Console" right which must be enabled for a user you want to grant rights over an organizational unit to. This isn't enabled automatically.

Managing organizational units

Interface

The organizational units interface shows existing units as well as related resources and roles:

OU Interface

Note: "Organizational Units" is the root unit. It cannot be deleted (see above)

  • Related resources: this tab shows the resources the selected unit has been assigned to (see below)
    OU Resources tab
  • Associated Roles: this tab shows the users or groups to whom the selected organizational unit has been assigned (see below). Clicking on a user or group allows you to see the roles assigned to them in the unit:
    Roles tab of an OU

Creating

  • Click on the "Create an organizational unit" button to access the unit creation window:
    OU creation dialog box
  • Enter a name and, if appropriate, a parent unit to create a new branch.
  • Click on "Validate" to create the organizational unit

Renaming

  • Select the unit in the list
  • Click on the "Rename an organizational unit" button at the top of the list
  • Modify the name in the dialog box:
    OU renaming dialog box
  • Click "Validate" to confirm the changes and close the dialog box

Delete

  • Select the desired unit(s) by ticking the corresponding box in the tree structure.
  • Click "Delete" at the top of the list
  • Validate the deletion:
    OU deletion dialog box

Assigning a delegation to a member

Naming

In the interface, organizational units are also called "delegations".

By default, a user is always a member of the Root organizational unit. For a user to be a member of a child organizational unit, go to the user's administration page:

  • in the General tab, complete the "Member of delegation" box using autocomplete which lists existing units:
  • Save to confirm the changes
Number of possible delegations

A user can be a member of one delegation only.

Delegating administration rights

Management rules

Inheritance and limitations

An administrator can only delegate the rights that he himself possesses, except for access to applications or certain features. For example, even if he does not have mailbox himself, an administrator can activate "Email and Contacts" for users under his management; likewise, he can authorize them to create external identities or forward messages if he does not have them himself. On the other hand, he cannot delegate the right to manage users if he can't manage them himself.

Belonging to a delegation

An administrator does not need to be a member of an organizational unit to administer it. On the other hand, he can only receive rights to organizational units within his domain.

Delegate to a user

To assign administrative rights to a user, go to the General tab of the user's administration. Management is then carried out in the "Roles" section of the tab:

The interface is distributed as follows:
Roles Interface

  • Top: the rights assigned to the user for each organizational unit – as text
  • Left (gray background): the list of assigned organizational units.
  • Right: rights corresponding to the unit currently selected in the list. Grayed-out rights are rights inherited from a parent unit or a group, and cannot be deleted for this unit alone.
What are roles, and what does each of them do?

For more details on roles, go to the page on: Roles: Access and Administration Rights.

To add administration rights for an organizational unit that isn't included in the list:

  1. Click in the right-hand corner of the Roles section and search for the Organizational Unit using autocomplete:
  2. Select the unit and validate
  3. The Organizational Unit is added to the list of delegations:
  4. Check the rights as appropriate (they are gradually added to the list):
  5. If the role requires access to the admin console:
  6. click Root
  7. in the right part, check the role "Administration Console" For more information, see the tip box at the top of the page.
  8. Save to confirm the changes

Delegating to a group

To assign rights to a group of users, go to the group's page > Roles tab:

Managing roles is then done in the same way as for users - see the previous chapter.

Once roles have been defined for the given delegation(s), all users belonging to the group will benefit from them.

Legacy

In individual users' pages, the roles they are assigned via a group are checked and grayed out – they cannot be unchecked individually. Users who belong to a group automatically enjoy all the rights assigned to that group.

Find out more

For more details on roles, go to the page on: Roles: Access and Administration Rights.

Last updated on