For the latest XenDesktop 7 release, we introduced the Delegated Administration feature for managing your Citrix administrators. This new feature allows the creation of Citrix site administrators with either a pre-configured or custom role, allowing you to specify exactly what you want your administrators’ to be able to do and to not do. Delegated Administration sits between your administrator and the task they wish to perform, so ensuring this feature works exactly as expected is integral to the security of your site.

The Task

Validating actions your administrator could perform both with and without permission in a product as flexible as XenDesktop is a monumental task. An administrative role can be made up of any combination of the 91 available permissions, which in turn map to a subset of the 500+ XenDesktop SDK cmdlets. An administrator can perform actions either using the Citrix Studio, or via the XenDesktop SDK (Powershell command-line). The Citrix Studio facilitates the completion of your administrators desired tasks by intelligently constructing the required PowerShell statements so your administrator doesn’t have to. Unlike the Citrix Studio, using the SDK, administrators’ manually construct the required PowerShell statements for execution in order to complete tasks.

Monolithic security-related tasks demand the utmost of accuracy and require an approach allowing little room for human error. Couple this with Citrix’s desire of validating tasks your administrator could perform following each change introduced into XenDesktop pre-release, and you can begin to appreciate the scale of the task in-hand. Providing a solution for a repetitive task requiring this level of precision can only viably be addressed using the following method—Automation.

The Solution

Here at Citrix we developed a PowerShell test suite dedicated to exercising actions your administrator could perform, both with and without permission (including other related tests). The test suite performs the following permissions-related tests:-

  • Detection of a XenDesktop installation/all available XenDesktop cmdlets
  • Site state analysis (ensure objects don’t exist which could affect the validity of the current test)
  • Pre-requisite (object(s)) creation for the current cmdlet-under-test (e.g. Desktop group, User session, Catalog)
  • Configuration of a test administrator without permission to execute the current cmdlet-under-test
  • Execution of the current cmdlet-under-test
  • Validation of a returned error message (format validation, message content validation)
  • Site state analysis (second phase – ensures that no changes have been made to the site where an administrator did not have permission to do so – this is performed regardless of whether the previous error message returned was correct or not)
  • Configuration of a test administrator assigning permission to execute the current cmdlet-under-test
  • Execution of the current cmdlet-under-test
  • Site state analysis (ensure only the expected changes have been made to the site – this also provides confidence in the previous test where test administrator was not assigned permission to execute the cmdlet-under-test)
  • Clean-up phase

Other Tests

The test suite also performs the following related tests:-

  • Naming convention adherence tests (these tests ensure that cmdlets and their corresponding operations are named according to our strict naming convention allowing associations to be easily identified)
  • Execution time testing (ensuring task execution time is recorded/completed within an acceptable timeframe)

Email us @ DesignEngineering@citrix.com

Tweet us @CitDesEngTest