Delegated access

Large organizations may set up dedicated teams to manage specific parts of the network. Delegated access allows the ETP super administrator to delegate network administration to other administrators. An ETP super administrator grants a delegated administrator access to specific locations, policies, and custom lists.

If your organization is enabled to do so, a super administrator can also assign the delegated administrator role to an ETP user. The super administrator can do this from the Delegated Access page. This page is available to ETP super administrators only. If you want to enable this feature in ETP, contact your Akamai representative.

By default, the delegated administrator can add locations, policies, and custom lists. Once granted access to specific locations, policies, and custom lists, the delegated administrator can then manage them. This allows a delegated administrator to manage part of the enterprise network and oversee advanced policy settings such as defining the acceptable use policy (AUP), policy actions, enabling the ETP proxy, and more.

When creating or modifying a policy, a delegated administrator can only assign the locations and custom lists that they created or are allowed to manage. A delegated administrator cannot assign the locations or custom lists that they do not have permission to access.

After adding or modifying policies, locations, or custom lists, the delegated administrator can also deploy these changes to the ETP network. The Pending Changes window shows the changes that were applied by all administrators (all super administrators and delegated administrators). However, a delegated administrator can only deploy the changes they made and the changes that apply to the locations, policies, and custom lists they have permission to manage. For more information on pending changes, see Deploying configuration changes.

When deploying changes, these conditions also apply:
  • Delegated access to a deleted location, policy, or custom list is automatically removed after a super administrator makes a delegated access change. If the super administrator makes a change before the deletion is deployed, the delegated administrator cannot deploy it. In this case, the delegated administrator must contact an ETP super administrator to deploy the deleted location, policy, or custom list.
  • If the pending change list includes modifications for lists that are accessible and not accessible to the delegated administrator, the delegated administrator cannot deploy pending changes. This includes changes associated with lists they can access. To deploy these changes, the delegated administrator must contact an ETP super administrator.
  • A delegated administrator can view the changes included in the pending changes list that were applied by other administrators. However, they cannot deploy these changes.

In addition to creating and managing locations, policies, and custom lists, a delegated administrator can:

  • View all locations, policies, and custom lists. On the Locations, Policies, and Custom List pages, a delegated administrator can toggle between all locations, policies, and custom lists in ETP and the ones they are allowed to manage. A delegated administrator can modify the locations, policies, and custom lists they created or are allowed to manage. They can also view settings associated with locations, policies, and custom lists that were created by other administrators.
  • View settings of configuration features. While a delegated administrator cannot modify the settings associated with other configuration features in ETP, they can view the settings that are associated with these components.
  • Schedule a report. A delegated administrator can schedule a report. Report results are based on the locations that the delegated administrator is allowed to access.
  • View and analyze reporting data. A delegated administrator can view data on the Dashboard, threat, acceptable use policy, and activity reports based on assigned locations. A delegated administrator can filter data and view the events, activity, and traffic related to the locations they are allowed to access and manage.
  • Download ETP Client. A delegated administrator can download ETP Client and view data that’s associated with client installations across the organization.
  • Grant or revoke access to Support. A delegated administrator can access the Support Access feature to grant or revoke access to Akamai Support.
  • Add email addresses and assign communication emails. A delegated administrator can add email addresses and assign communication emails for alerts, system issues, security connector upgrades, and ETP Client upgrades. For data that’s reported in an alert communication, a delegated administrator can associate the locations they are allowed to manage.
  • View Security Connector activity. A delegated administrator can view activity based on the locations they are allowed to access.
Note: ETP also offers access to tenant administrators. A tenant administrator can only manage and view reporting data that is associated with the locations, policies, and custom lists they are allowed to manage. They cannot view other configuration settings or perform most of these operations. A tenant administrator can be used by Managed Service Providers (MSP) to control customer access. For more information, see Tenant access.

A delegated administrator cannot:

  • Manage an ETP Client or security connector.
  • Add or manage a custom response.
  • Grant other delegated administrators access to locations and policies.
  • Manage the man-in-the-middle CA TLS certificates for ETP Proxy.