...
PFA will allow department administrators to use Active Directory attributes to apply permissions to objects. Initial implementation is focused on
Parameters
- Define <report-attribute> for results
- utexasEduAustinMultiX
- utexasEduAustinBool1
- Define <permission-attribute> for query
- utexasEduAustinSingle1utexasEduAustinSingle11
- Value must be one of the existing Delegation values
- Define <target<targets-attribute> for query
- managedBy
- Target of delegationutexasEduAustinMulti11
- Values must be DN of a group object
- Define <reports-attribute> for results
- utexasEduAustinMulti12
- Define <object-class> for query
- organizationalUnit
- Define <container> as search base for query
- OU=Departments,<domainDnsRoot>
...
- Query for <object-class> in <container> where:
- <action-attribute> is true
- <permission-attribute> has a value
- <target<targets-attribute> has a value
- For each object found in previous step...
- Grant <permission-attribute> delegation to <targeton object to each principal in <targets-attribute> principal
- Write <reportUpdate <reports-attribute> with "<timestamp>;<add/remove>;<delegation>;<managedBy>"
- Clear <action-attribute> and , <permission-attribute>, <targets-attribute>
- Create scheduled task on ADFS servers to perform query every hour
- Run as dedicated GMSA
- All permissions actions taken by known account
- Password of account managed by domain
- Leverage HostCheck
- Avoid duplication of work
- Run as dedicated GMSA
...