Wilco van Bragt - LinkeIn Wilco van Bragt - Twitter rssa 

Delegation of Control within the CMC

Introduction

In the bigger companies IT tasks are often divided between several departments or persons. For example you have a helpdesk department, department for workstations/front-end and a department for the back-end infrastructure. Often there is also a segmentation based on the specialty. For example a group for UNIX based platform, Windows based platform, Network infrastructure (routers, switches), legacy systems and etcetera.

The Citrix Presentation server environment is often difficult to place into this deviation of IT tasks. Strictly seen the Citrix servers can be seen as a front end environment, because users are directly working on these servers. But as I also called them servers, they could also be counted as back-end infrastructure. Additional the maintenance and management tasks for the Citrix servers are pretty complex in comparison with a normal fat client. On the other hand there are also couples of tasks which are to easy to carried out by the back-end department.




In other words lots of companies are dividing the system administration of the Citrix servers between several departments. Of course the proprietor (often the Backend group) would like to control the actions that can be carried out by the other departments.  In this article I'm going to describe how this control can be accomplished by using the delegation model within the Citrix Management Console.

Improvement in Citrix Presentation Server 4

Before explaining how to accomplish delegation of control within the Citrix Management Console I need to mention first that Citrix made a big improvement within in this console. In earlier versions always all options are visible even the involved users did not have the rights to use that option. In the past this was sometimes confusing or department were demanding more rights because they saw all the options. With Citrix Presentation Server 4 only the assigned options will be shown to the user.

Citrix Administrators

First of all you need to add the users/groups you would like to assign some administration tasks into the Citrix Management Console. Right Click the option Metaframe Administrators in the left plane and choose the option Add Metaframe Administrator. Select the groups you would to add the Citrix Management Console out of the Active Directory, followed by (optional) filling in contact information. This information will be used within Resource Manager to send (if defined) alerts and warnings.

Image
Figure 1: Adding groups to the Metaframe Administrators

The last step is to assign permission to the added groups. There are three options available:

  • View Only

Selecting this option the added groups can view all configuration parts within the Citrix Management Console, but can not change anything.

  • Full Administration

As the name already explains selecting this option makes the selected user or group all the administrator rights available within the Citrix Management Console.

  • Custom

With this option you can exactly specify the options and rights the user group will be assigned.

Although we would like to assign custom rights we now specify view only. We will specify the custom rights later on this article.

Assigning Permissions

The added users/groups are now available within the Citrix Management Console. From now on you can right click the user/group in the right pane and change the properties.

Because we just added all the groups as view only we first should change the Privilege type to custom before we can specify the permissions.

Just click on within the properties screen the option privilege type and change this to Custom. Now the permissions part is changeable to your needs. For every item in the left pane of the Citrix Management Console permission can be granted. When no permissions are assigned this automatically means the account has no rights for that part (the checkbox is cleared).

OK, let's start configuring permission to manage the Citrix Farm.

First let's take a look at the Metaframe Administrator Part. The option Log on the Presentation Server console should be checked otherwise the employee can not use the Management Console at all. If you would like that the employees also can manage the Web Interface that option should be checked. The last option is that the employees can see who are defined as Metaframe Administrator and which rights are assigned to these groups or users. The advice is to uncheck this option (maybe in this way the user can add them to another group that has more rights in the CMC if rights are not correctly set in Active Directory).

For some parts in the Management Console have are only two options available for delegation of control:

  • Manage/Edit <Component>
  • View <Component>

Both options are pretty obvious. When selecting the view option, the employee can only view the configuration of that component. The Manage/Edit component makes it possible to make changes to the current configuration. These two options can be found by Installation Manager, Isolation Environments and Policies.

At the load evaluator both options are also available including one additional option. This option makes it possible that the employees can not change the load evaluators itself but are allowed to assign load evaluators to servers (this option is called Assign Load Evaluator).

With the latest versions of Presentation Server also the Access Suite console is available. To delegate control to this console rights can be assigned via monitoring and alerting component (options available are manage or view component).

Detailed Permissions

The other components available within the Management Console do have more options available to delegate control. I will now describe per component most of the options.

Farm Level

At Farm level three options are available:

  • View Farm Management

Gives the option to take a look at settings configured at Farm level

  • Edit Zone settings

With this option the employee can only change settings in the zone part (like change Data Collector preferences or change zone names)

  • Edit All other Farm settings

Assigning this permission gives the employee the availability to change all settings at Farm level except the zone settings.

Application level

At application level first of all you can grant permission to view Published Applications settings or the possibility to add and edit Published Applications. Secondly also some settings concerning Resource Manager can be configured here. Options are to create a metric on application level and edit current application metrics and the permissions to view the application metrics. The last part configures the options concerning sessions like (dis)connecting sessions, reset sessions, send messages, log off users and/or view the session information. Be careful this is configured on the Application level, so these options are available under the Application component in the left pane.

This does not mean these options are available within the servers' component. In is possible to sort published application in several folders. Per folder all settings can be configured differently. This can be useful in environment where Functional/Technical Application Managers are named. By dividing the application in folders you could give each Application Manager rights to take over the application which is assigned to his responsibilities. If you just divided the application in folders for the overview, you can simply copy the settings to all subfolders.

Printer Management

Within Printer Management options are divided in editing printer, printer drivers, all other printer settings, replicating printer drivers or just view all the settings.

Resource Management

Resource Management has a pretty detailed delegation of control. You can give all permissions by assigning the option Configure Resource Management. If your financial department is taking care of billing you could give them the permission to generate billing reports only. Also the options are available to give access to the report functionality, receive notifications and/or view resource manager configuration.

Image
Figure 2: Configuring delegation of control within the server component.

Servers

The last component within the Management Console has the most options available.

You can assign the permission to install or uninstall packages and/or permit to add applications to the servers. Both permissions are useful if you have a separate team that installs servers within your organization. Secondly you can assign right concerning resource manager settings on a server basis. For example editing the metrics values, view information and alerts (within the server view) and assigning Application Metrics to server.

Also all sessions options are available as described in the applications part, but then based on server level. Last but least there are several server options to manage the servers it selves. Remember that for some options the employee should also have enough right within the operating system to carry out these tasks. Options than can be assigned are Terminate Process, Move or Remove Servers, Edit SMTP settings, Edit License Server setting and/or Change all other server settings.

Like the application part these settings can be configured per folder within the server part. In this way you could separate the servers based on location so local support can provide their own servers only.

Conclusion

Via this article I have give you a brief overview which possibilities are available to delegate control within the Citrix Management Console. The most important step is to think which tasks should be carried out by the several employees/department and configure then the permissions in the Management Console with the available options.

Article previous published at MSTerminalServices.org.