Configuring Feature Delegation
The
ability to define users and permissions enables you to manage
administration based on site content structure. However, it is also
important to determine which features users can view and configure. For
example, you might want a Web server administrator to connect to the
Default Web Site, but you do not want her to be able to change
Authentication settings. Delegation is the process by which an
administrator can determine which features of IIS a user can view and
change.
Default
settings for feature delegation initially are defined at the server
level in IIS. To access these settings using IIS Manager, select the
Web server object in the left pane, and then double-click Feature
Delegation in the Management section of the Features View, as shown in Figure 6.
The
list of items available for delegation will include all the features
that have been added through the Web Server (IIS) server role and
enabled role services. To change the setting for a feature, select it
from the list and use the commands in the Set Feature Delegation
section of the Actions pane. Most features have options of Read Only or
Read/Write. In addition, some items have a Configuration Read/Write or
Configuration Read Only setting. These settings enable Web developers
to specify settings in their configuration files or to manage them
based on database settings. The Not Delegated setting means that the
feature has not been enabled for delegation at lower levels and is not
available for configuration. You can also use the Delegation option in
the Group By drop-down list to determine quickly how all the settings
have been configured, as shown in Figure 7.
The
settings that you define at the server level automatically apply to all
child Web sites and applications by default. In some cases, you will
want to restrict feature delegation at the site level. To do this,
click the Custom Site Delegation command in the Actions pane. This will
bring up the Custom Site Delegation screen, as shown in Figure 8, which will enable you to select specific sites to which you want delegation settings to apply.
The
Copy Delegation command enables you to copy the currently selected
settings to one or more Web sites on the server. You can also use the
Reset To Inherited and Reset All Delegation commands in the Actions
pane to change groups of settings quickly to earlier values. You use
feature delegation settings to determine which parts of the system
configuration will be available when remote users connect to the server
using IIS Manager.
Note
When
implementing remote management security, keep in mind the specific
administration requirements. Some settings, such as IIS Manager Users
and Feature Delegation, can be configured only at the level of the Web
server. That makes these settings applicable to all the lower-level
objects. IIS Manager Permissions, alternatively, can be configured for
specific Web sites and Web applications. This enables you to implement
granular security for those users who should have access only to
limited portions of the Web server.