Delegate administrator permissions

By assigning specific security management permissions to an administrator's user account, you can delegate various security management activities to that administrator. For example, you could set up one administrator who would only have the ability to reset passwords for users, another who could lock and unlock users, and a third who could create users and associate them to user groups and assign them role templates.

For more information about entity groups, see Security context points). If there are child groups under a parent group, the administrator can delegate an administrator for each child group as well.

Administrators do not need to be members of groups for which they perform administrative tasks. By default, only the Super Administrator has Read and Write access to objects in the system. Delegating administration responsibilities to a user on a security domain, does not automatically grant Read and Write access to objects under the corresponding entity.

Important:

You can assign to other administrators only the permissions that you have.
If you disassociate an administrator from a security domain or organizational group, all user management privileges (such as manage users, lock/unlock users, reset passwords, enable/disable users, assign roles) are retained by that administrator and are not revoked.

Example

You want to designate Mary Smith as an administrator who can reset passwords for any users. You would assign the Reset Password permission to Mary Smith.

Note:

When administrator permissions are assigned to a user, the name of that user is no longer displayed in the user selector list. To modify permissions for an administrator, see Assigning, modifying, and removing administrator permissions on groups.
Security domain groups are not displayed in the User/Group selector list.

Note: Administrators with Settings application permission can configure the behavior of some user-provisioning functions. For more information, see User provisioning settings.