Skip to content

Delegation

Overview

Delegation is the process of assigning tasks & roles to users in PPA.

These tasks & roles can be delegated to both:

  • Individual users (direct delegation)
  • Active Directory security groups (group delegation)

You can combine both direct & group delegations if you wish.

Direct Delegation

Tasks & roles can be directly delegated to any imported Active Directory users.

You cannot delegate anything to the built-in admin user, it is always able to access everything.

Pros

  • Allows very fine-grained control over who can do what
  • Does not require you to modify or create new security groups to work with PPA
  • Clearer delegation reporting in PPA

Cons

  • Static configuration (no dynamic updates or synchronisation)
  • Requires more manual effort to configure

Group Delegation

Tasks & roles can be delegated to any imported Active Directory groups.

This will assign the task or role to every imported user found in any of its delegated groups.

Auditing Memberships

For group delegation to work, PPA needs to know the group memberships of each imported user.

These group memberships are maintained in PPA's database by 2 events:

User Login

PPA audits a user's group memberships in Active Directory when they log in.

This means group delegations still work even if you don't use group synchronisation.

Group Synchronisation

PPA keeps track of which synchronised groups each imported user was found in.

These memberships are saved alongside those found by the user login event.

Pros

  • Very quick & easy to configure
  • Using group synchronisation dramatically reduces ongoing maintenance

Cons

  • Not as fine-grained as direct delegations
  • May require you to modify or create groups in Active Directory
  • Accidental membership changes in Active Directory can be mirrored in PPA