Delegation of administration

## Delegation of administration in OBM-UI

In OBM-UI, you can delegate the administration of a number of entities to other users.
This delegation system applies to the following entities:

* Group
* Users
* Hosts
* Ressources (and group of ressources)
* Mailshares

The system allows you to define a __delegation__ attribute on the target entity that will define some kind of _administration group_ for the entity.
Then you will define the __delegation of administration__ attribute on the user you want to delegate the administration of that entity. This has the direct effect of making the entity manageable by domain administrators __AND__ this person.

> It is to be noted that user that is granted the delegation rights must have a profile giving the `administrattion` right on the appropriate modules.

To decide whether the entity is manageable by a user, the delegation system will look at both __delegation__ and __administration of delegation__ attributes on the entity and the person trying to manage it. The system will apply a simple _string matching_ algorithm that works as follows:

* An empty _delegation of administration_ matches any value of _delegation_. This means this person can manage everything.
* A non-empty _delegation of administration_ matches if _delegation_ contains it (technically speaking, this uses a _startsWith_-like matching method).

As a matter of fact, the common practice is to use a hierarchical syntax for delegations. You can use _X/Y/Z_ syntax for instance so that you can eventually limit the _delegation of administration_ to _X_, _X/Y_, etc.
As a concrete example is often worth a hundered lines of documentation, here's one:

* Let's assume you have an _admin_ user in your OBM domain. This user has an empty _delegation of administration_ attribute.
* You also have a _delegated_admin_service_ user that has a _delegation of administration_ set to __Company/Division/Service__.
* You also have a _delegated_admin_company_ user that has a _delegation of administration_ set to __Company__.
* You have a _MyService_ group with a _delegation_ attribute set to __Company/Division/Service__. This represents a service in your organization.
* You have a _MyDivision_ group with a _delegation_ attribute set to __Company/Division__. This actually represents a whole division in your organization.
* You have a _RestrictedAccessDivision_ group with an empty _delegation_ attribute.
* You have a _MyCompany_ group with a _delegation_ attribute set to __Company__. This represents your organization.

With this setup, here's what happens:

* _admin_ can manage _MyCompany_, _RestrictedAccessDivision_, _MyDivision_ and _MyService_. This is because _an emty delegation of administration matches everything_.
* _delegated_admin_service_ can only manage _MyService_. This is because _Company/Division/Service only matches Company/Division/Service_.
* _delegated_admin_company_ can manage _MyService_, _MyDivision_ and _MyCompany_ but not _RestrictedAccessCompany_. This is because _Company only matches Company/Division/Service, Company/Division and Company_.Runners Point