Administration to be delegated and scoped to different subsets (or Organisational Units)

Zebra offers flexible administration capabilities, including the ability to delegate and scope administration tasks to specific subsets of users. This functionality is particularly useful when integrating with LDAP, where users are often organised into different organisational units or groups based on organisation, role, location, etc. Scoped administration allows for more granular control over who can manage users and what aspects they can manage, enhancing security and operational efficiency.

Functional Capabilities

Zebra leverages a role-based access control (RBAC) system to implement delegated and scoped administration. Here's how it works:

• Roles and Permissions: Zebra allows you to define roles with specific permissions. These permissions determine the administrative actions a user with that role can perform.

• Assigning Roles to Users: You can assign users to specific roles within the Zebra administration console. A user's assigned role determines their administrative capabilities.

• Organisational Units: Zebra utilises units to represent hierarchical structures within your LDAP directory. These units can be used to define the scope of a user's administrative access.

• Scoped Permissions: By combining roles with unit assignments, you can grant delegated administration with specific scopes. For instance, a Team Manager role with permissions scoped to a specific unit within the LDAP structure would only have administrative control over users within that assigned unit.

Benefits of Delegated and Scoped Administration:

• Improved Security: Limiting administrative access to specific units minimises the potential impact of compromised accounts.

• Enhanced Efficiency: Team Managers can manage users relevant to their area of responsibility, streamlining user management tasks.

• Separation of Duties: The ability to delegate specific administrative tasks promotes separation of duties and reduces the risk of unauthorised access.

Implementation Steps

• Defining Scoped Roles: Start by defining custom roles in Zebra that correspond to the administrative scopes you wish to implement. For example, create roles for organisational administrators who should only manage users within their respective organisations.

• Mapping LDAP Groups to Zebra: When configuring LDAP federation, ensure that LDAP groups are mapped to Zebra groups.

• Assigning Scoped Roles to Administrators: Assign the custom scoped roles to administrators, restricting their management capabilities to only the users or groups they are responsible for. This assignment can be done directly or through group membership, depending on the desired approach.

Xaana’s Differentiation - Best Practices

• Regular Review of Scoped Roles: Xaana recommends periodically reviewing and updating the scoped roles and their permissions to ensure they remain aligned with organisational changes and security policies. This includes updating the mappings between LDAP groups and Zebra groups as necessary.

• Use of Client Scopes for Fine-Grained Access Control: In scenarios where administrators need to manage client-specific settings or roles, consider using client scopes in Zebra. Client scopes allow for the definition of permissions at the client level, providing an additional layer of granularity.

• Training and Documentation: Xaana will provide training and comprehensive documentation to scoped administrators to ensure they understand their roles and the extent of their permissions within Zebra.