If this document does not correspond to your current software version, you can go to Download Center to find other available document versions.

QNAP

QuTS hero h5.1.x

Download (PDF)

Delegated administration

Delegated Administration allows administrators to assign one or more pre-defined roles to non-administrator users or groups. With delegated roles, non-administrator users can help manage system resources and perform routine tasks, such as updating apps, monitoring CPU usage, and backing up important data. This reduces the workload of system administrators and provides better flexibility and efficiency for your organization.

Delegated roles and permission restrictions

Overview

Administrators assign one or more delegated roles to up to 32 local/domains users and 32 local/domain groups. Users have the privileges of the delegated roles that are assigned to them and their groups.

Users can see their assigned roles by hovering over their user name on the Desktop task bar.

Users with delegated roles can only access settings associated with their roles. For example, users assigned the Application Management and System Monitoring roles can only access App Center, Resource Monitor, and Desktop Dashboard, but have no access to other system settings.

Important:

To ensure system security and functionality, non-administrators with delegated roles have the following general restrictions.

  • Unable to manage the "administrators" group or its members

  • Unable to change their own account settings

  • Can only grant or change permissions that are within the scope of their own privileges.

    • For example, if a delegated users has read-only access to a shared folder, this user can only grant other users read-only permissions or deny them access to this shared folder.

  • May only have limited or no access to certain sensitive settings or functions when performing administrative tasks or when using applications and services, even with associated roles

Delegated Roles

For details on each delegated role and their respective restrictions, see the following table.

Delegated Role

Permissions

Restrictions

System Management

This role has the permissions of all delegated roles.

This role also has permission to use the following applications or services: QuLog Center, Notification Center, Network & Virtual Switch, Security Counselor, License Center, QuFTP Service, Malware Remover, Multimedia Console, Control Panel, Storage & Snapshots, and iSCSI & Fibre Channel.

Unable to access the following settings in Control Panel: Delegated Administration, System Restore, Telnet/SSH, and Recycle Bin

Application Management

This role has permission to manage apps in the App Center.

  • Unable to manually install apps or configure settings in the App Center

  • Unable to open apps that are only accessible to administrators

Access Management

This role has permission to configure security settings in Control Panel and to use QuFirewall.

-

System Monitoring

This role has permission to monitor the system in Resource Monitor and Desktop Dashboard.

-

User and Group Management

This role has permission to create, edit, and delete local users and groups. This role can also edit domain users and groups.

  • Unable to create a user or a group if the delegated user is not assigned the Shared Folder Management role

  • Unable to manage the shared folder access rights of users or groups if the delegated user is not assigned the Shared Folder Management role

Shared Folder Management

This role has permission to create, edit, and delete shared folders.

  • Unable to access the settings of Advanced Permissions or Folder Aggregation

  • Unable to create a shared folder if the delegated user is not assigned the User and Group Management role.

  • Unable to create a snapshot shared folder

Backup Management

This role has permission to use Hybrid Backup Sync and Hyper Data Protector.

In addition, this role also has the permissions of the Shared Folder Management role.

-

Backup Operation

This role has permission to help administrators monitor, manage, and execute backup tasks in Hybrid Backup Sync and Hyper Data Protector but cannot overwrite or delete existing backup data.

In addition, this role also has the permissions of the Shared Folder Management role.

-

Assigning delegated roles to users

Administrators can assign one or more delegated roles to non-administrator users and groups.

Important:

Assigning the System Management role grants the permissions of all other roles.

  1. Log in to QuTS hero as administrator.
  2. Go to Control Panel > Privilege > Delegated Administration.
  3. Select a delegated role from the role list.
  4. Select a user type or group type from the drop-down list.

    • Local users

    • Local groups

    • Domain users

    • Domain groups

  5. Select one or more users or groups to which you want to assign this delegated role.
    Tip:

    If you have numerous users or groups on the list, you can type a user name or group name in the search box to quickly find your target.

    In the Delegated Roles column, QuTS hero instantly displays the delegated role that you have assigned to the selected user or group. Note that you still need to apply changes, otherwise this delegation would not take effect.

  6. Optional: Assign additional delegated roles.
  7. Click Apply.

Removing delegated roles from users

Administrators can remove delegated roles from non-administrator users to withdraw their permissions. You can remove only one or more delegated roles.

Important:

Given that System Management role covers all other delegated roles, QuTS hero does not allow you to remove a smaller role from a user who has been assigned the System Management role. You should first remove the System Management role from this user and then adjust role assignment according to your needs.

  1. Log in to QuTS hero as administrator.
  2. Go to Control Panel > Privilege > Delegated Administration.
  3. Select a delegated role from the role list.
  4. Select a user type or group type from the drop-down list.

    • Local users

    • Local groups

    • Domain users

    • Domain groups

  5. Deselect one or more users or groups from which you want to remove this delegated role.
    Tip:

    If you have numerous users or groups on the list, you can type a user name or group name in the search box to quickly find your target.

    In the Delegated Roles column, QuTS hero instantly displays the delegated role that are currently assigned to the selected user or group. Note that you still need to apply changes, otherwise this delegation would not take effect.

  6. Optional: Remove more deleted roles from users or groups if needed.
  7. Click Apply.

Viewing user permissions

Permission Viewer displays a summary of current role assignments in Delegated Administration, allowing you to quickly understand which permissions have been granted to non-administrators.

Note:

If no delegated role has been assigned, Permission Viewer displays an empty list.

  1. Log in to QuTS hero as administrator.
  2. Go to Control Panel > Privilege > Delegated Administration.
  3. Click Permission Viewer.

    The Permission Viewer window appears.

  4. Select a viewing mode.

    Viewing Mode

    Description

    By users and groups

    This mode lists delegated roles assigned to each user and group.

    In this viewing mode, you can also choose to view all users and groups or only view a specific user/group type.

    By delegated roles

    This mode lists every user and group assigned to each delegated role.

Exporting a delegation list

You can back up your settings by exporting the current delegation settings in CSV format.

Tip:

In the exported CSV file, each row represents a user or group, and each column represents a delegated role. You can check the intersection of each row and column to understand each permission status. 1 indicates that the delegated role is assigned, and 0 indicates the delegated role is not assigned.

  1. Log in to QuTS hero as administrator.
  2. Go to Control Panel > Privilege > Delegated Administration.
  3. Click Permission Viewer.
  4. Click Export.

QuTS hero exports and downloads a CSV file to your computer. You can import this CSV file later to restore your settings.

Importing a delegation list

You can restore previous delegation settings by importing a valid CSV file.

Tip:

In a valid CSV file, each row represents a user or group, and each column represents a delegated role. You can check the intersection of each row and column to understand each permission status. 1 indicates that the delegated role is assigned, and 0 indicates the delegated role is not assigned.

  1. Log in to QuTS hero as administrator.
  2. Go to Control Panel > Privilege > Delegated Administration.
  3. Click Permission Viewer.
  4. Click Import.
  5. Click Browse.
  6. Select a CSV file to import.
  7. Click Import.

QuTS hero imports delegation settings from the selected CVS file and apply settings. If you do not see the new delegation settings, restart Control Panel and then check again.