Delegation of Control within the Citrix Management Console


In the bigger companies IT tasks are often divided between several departments or persons. For example you have a helpdesk department, department for workstations/front-end and a department for the back-end infrastructure. Often there is also segmentation based on the specialty. For example a group for UNIX based platforms, Windows based platforms, Network infrastructure (routers, switches), legacy systems and etc.

The Citrix Presentation server environment is often difficult to place into this division of IT tasks. Strictly the Citrix servers can be seen as a front end environment, because users are directly working on these servers. But as we also call them servers, they could also be counted as back-end infrastructure. Additional the maintenance and management tasks for the Citrix servers are pretty complex in comparison with a normal fat client. On the other hand there are also a couple of tasks which are to easily carried out by the back-end department.

In other words, lots of companies are dividing the system administration of the Citrix servers between several departments. Of course the proprietor (often the Backend group) would like to control the actions that can be carried out by the other departments.  In this article I’m going to describe how this control can be accomplished by using the delegation model within the Citrix Management Console.

Improvement in Citrix Presentation Server 4

Before explaining how to accomplish delegation of control within the Citrix Management Console I need to mention first that Citrix made a big improvement within this console. In earlier versions all options were always visible even if the involved users did not have the rights to use that option. In the past this was sometimes confusing or departments were demanding more rights because they saw all the options. With Citrix Presentation Server 4 only the assigned options will be shown to the user.

Citrix Administrators

First of all you need to add the users/groups you would like to assign some administration tasks to into the Citrix Management Console. Right click the option Metaframe Administrators in the left plane and choose the option Add Metaframe Administrator. Select the groups you would to add to the Citrix Management Console out of Active Directory, followed by (optional) contact information. This information will be used within Resource Manager to send (if defined) alerts and warnings.

Figure 1: Adding groups to the Metaframe Administrators

The last step is to assign permissions to the added groups. There are three options available:

  • View Only: Selecting this option allows the added groups to view all configuration options within the Citrix Management Console, but cannot change anything.
  • Full Administration: As the name already implies, selecting this option gives the selected user or group all the administrator rights available within the Citrix Management Console.
  • Custom: With this option you can specify the options and rights the user group will be assigned.

Although we would like to assign custom rights we will now specify view only. We will specify the custom rights later on in this article.

Assigning Permissions

The added users/groups are now available within the Citrix Management Console. From now on you can right click the user/group in the right pane and change the properties.

Because we just added all the groups as view only we first should change the Privilege type to custom before we can specify the permissions.

Just click, within the properties screen, the option privilege type and change this to Custom. Now the permissions options can be changed. For every item in the left pane of the Citrix Management Console permission can be granted. When no permissions are assigned this automatically means the account has no rights for that (the checkbox is empty).

OK, let’s start configuring permissions to manage the Citrix Farm.

First let’s take a look at the Metaframe Administrator section. The option Log on the Presentation Server console should be checked otherwise the employee cannot use the Management Console at all. If you would like employees to be able to manage the Web Interface, that option should be checked. The last option is to allow employees to see who are Metaframe Administrators and which rights are assigned to these groups or users. My advice is to uncheck this option (maybe in this way the user can add them to another group that has more rights in the CMC if rights are not correctly set in Active Directory).

Some sections in the Management Console have are only two options available for delegation of control:

  • Manage/Edit <Component>
  • View <Component>

Both options are pretty obvious. When selecting the view option, the employee can only view the configuration of that component. The Manage/Edit component allows changes to be made to the current configuration. These two options can be found in Installation Manager, Isolation Environments and Policies.

For the load evaluator both options are also available including one additional option. This option insures that employees cannot change the load evaluators but are allowed to assign load evaluators to servers (this option is called Assign Load Evaluator).

Access Suite console is also available with the latest versions on Presentation Server. To delegate control to this console rights can be assigned via the monitoring and alerting component (options available are manage or view component).

Detailed Permissions

The other components available within the Management Console do have more options available to delegate control. I will now describe most of the options available per component.

Farm Level

At Farm level three options are available:

  • View Farm Management: Take a look at settings configured at Farm level
  • Edit Zone settings: The employee can only change settings in the zone part (like change Data Collector preferences or change zone names)
  • Edit All other Farm settings: Allows the employee to change all settings at Farm level except the zone settings.

Application level

At application level first of all you can grant permission to view Published Applications settings or the possibility to add and edit Published Applications. Secondly Some settings concerning Resource Manager can be configured here. Options allow you to create a metric on application level and edit current application metrics and the permissions to view application metrics. The last part configures the options concerning sessions like (dis)connecting sessions, reset sessions, send messages, log off users and/or view the session information. Notice that these are configured on the Application level, so these options are available under the Application component in the left pane.

This does not mean these options are available within the servers’ side. It is possible to sort published application in several folders. Per folder, all settings can be configured differently. This can be useful in an environment where Functional/Technical Application Managers are named. By dividing the application in folders you could give each Application Manager rights to take over the application which is assigned to his responsibilities. If you just divided the application in folders for the overview, you can simply copy the settings to all subfolders.

Printer Management

Printer Management options are divided into editing printer, printer drivers, all other printer settings, replicating printer drivers or just viewing all the settings.

Resource Management

Resource Management has a pretty detailed delegation of control. You can give permissions by assigning the option Configure Resource Management. If your financial department is taking care of billing you could give them the permission to generate billing reports only. Also the options are available to give access to the report functionality, receive notifications and/or view resource manager configuration.

Figure 2: Configuring delegation of control within the server component


The last component within the Management Console has the most options available.

You can assign the permission to install or uninstall packages and/or permit adding applications to the servers. Both permissions are useful if you have a separate team that installs servers within your organization. Secondly you can assign rights concerning resource manager settings on a server basis. For example editing the metrics values, viewing information and alerts (within the server view) and assigning Application Metrics to the server.

Also all session options are available as described in the applications part, but then based on server level. Last but not least there are several server options that allows the server to manage itself. Remember that for some options the employee should also have enough rights within the operating system to carry out these tasks. Options then should be assigned are Terminate Process, Move or Remove Servers, Edit SMTP settings, Edit License Server setting and/or Change all other server settings.

Like the application part these settings can be configured per folder within the server part. In this way you could separate the servers based on location so local support can provide their own servers only.


Via this article I have given you a brief overview into which possibilities are available to delegate control within the Citrix Management Console. The most important step is to think about which tasks should be carried out by the several employees/departments and configure the permissions in the Management Console with the available options.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top