One of the two huge limitations of the Citrix Cloud were (yes, in the past) the possibility to provide an advanced method to provide delegated access to your Administrators and Helpdesk users. Smaller SMBs customers mostly having one or two admins and can leverage this setting easily, although larger enterprise customers are facing a massive problem as they have more roles to delegated within their IT department. This was a huge limitation…
The second limitation was (yes, again in the past) logging. It could be that you never missed the feature in the Citrix Cloud. But from what I’ve heard – most companies don’t leverage Citrix Cloud Workspaces – because of this simple limitation. We all know that Citrix Cloud is built up from the On-Premises FMA architecture, which was initially not designed for multi-tenant access – and for this specific reason – logging wasn’t there from the beginning. Citrix rebuilt the way how logging gathers it’s information and made it available for current release customers and later on the rest through the Canary enrollment process (read more about this later on).
Big thumbs up for the Citrix Engineering and Dev team that were involved in this. I had the privilege to test this new enhancement as being a Citrix CTP – and must say that it’s already working great.
See below the different Delegated Roles that are available in a diagram.
In this article, I’ll describe how you can use the new Delegation and Control capabilities in the Citrix Cloud as well as the (new) logging functionality.
Table of Contents
Click on the title to forward in the article:
- How to provide Administrators access to the Citrix Cloud
- Citrix Cloud logging
What’s the Citrix Cloud Canary enrollment process?
Citrix releases new feature and enhancements in Citrix Cloud through an update management process, so this Delegated Control and Logging feature might not be available for every customer right now. Citrix said that all the Citrix Cloud customers will have these 2 new enhancements in the next 2 weeks available in their Virtual Apps and Desktop environment.
Interested how update management works within the Citrix Cloud? Citrix works with a so-called Canary Process, and it works like this.
- 4-5 Day process to migrate customers to new code
- If issues observed, hard stop until the issue is resolved
- Test State: Internal customers to verify deployment
- Opt-In: Customers who have explicitly notified Citrix that they want latest stable code as quickly as possible within Citrix Cloud
- Opt-Out: Customers who want to wait until 100% state is achieved
With this new Citrix Cloud platform feature enhancement, you can begin leveraging this feature to control access to select areas within the Virtual Apps and Desktops Service.
Go to citrix.cloud.com
Open the hamburger menu – click on Identity and Access Management
Click on Administrators
Choose for Citrix Identity / or Azure AD if you want to delegate rights to a user within your Azure Active Directory environment.
Enter the users email address which you want to provide the right to and click on invite
Note: This can be every valid email address that you like to use. It, for instance, doesn’t require an existing link to Citrix.
Click on Send Invite
Confirm that the account is listed and the status – Invite sent
Let the user opens their welcome email to Citrix Cloud.
Click on Sign In
Note: If those specific users don’t have a Citrix Cloud account, he’ll be asked to create one.
If you already have a Citrix Cloud account, this will be the message:
The account is now ready to use.
If not, you’ll be asked to create one. Just go through the onboarding process of a new Citrix Cloud account. Similar to picture below…
Delegated Administration uses three concepts: administrators, roles, and scopes. Permissions are based on an administrator’s role and the scope of this role. For example, an administrator might be assigned a Help Desk administrator role where the scope involves responsibility for end-users at one site only.
Don’t know what Delegated rights are? Please continue reading through this official Citrix Docs article, which explains most of the basics.
Return to Identity and Access Management
Go to Administrators
Click on the 3 dots – followed by Edit Access
Click on Custom Access
Select the rights that you want to assign to your administrators
The rights are successfully applied…
Changing the scope makes it possible to hide a certain amount of configuration items in Citrix Studio within Citrix Cloud. You can include Machine Catalogs and Exclude Delivery Groups, so the users only can manage that specific item.
Switch back to the Citrix Cloud– Dashboard
Click on Manage below Virtual Apps and Desktops (previously XenApp and XenDesktop) Service
Click on Administrators
And you’ll see the new add administrator listed in the Administrators menu of the Citrix Cloud studio
Click on Scopes
Create an additional Scope to limit the access for the different users
Select the Delivery Groups, Hosting and Machine Catalogs items
Please make sure that the Role is listed in the list of Scopes…
So, What about Roles – custom definitions?
Unfortunately – changing role definitions are not supported yet. Citrix is working on this and will add this very soon as follow up to this add-on to the Citrix Cloud!
Now return back to the Identity and Access menu and apply the just created Role to your Administrators.
(You’ll see my just created Helpdesk Users added to the list!)
After you set the custom access roles – They will only see the resources you specified in the Studio!
The rights are successfully applied
Next to this Delegated Control – awesome – add-on to the Citrix Cloud, Citrix also made logging available together with the delegation option. Based on the email address of the administrator, you’ll now see which actions have been performed on the site within the Studio.
See below how the Logging Console within Citrix Cloud
That’s it again – hope this helps, and thanks for stopping by.