Versions Compared

Version Old Version 8 New Version 9
Changes made by

Alex Barth

Alex Barth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Warning

DRAFT

Overview

PFA Delegation Via Attributes (DVA) will allow customers to update permisssions on Active Directory object by setting the correct values on specific attributes. Initial implementation is focused on Organizational Units.

Parameters

...

  • utexasEduAustinBool1
  • Value must be true to grant permissions

...

  • utexasEduAustinSingle11
  • Value must be one of the existing Delegation values

...

  • utexasEduAustinMulti11
  • Values must be DN of a group object

...

  • utexasEduAustinMulti12

...

  • organizationalUnit

...

departments to request and remove delegations on Active Directory objects. This process is composed of the following parts: the delegation request, the requests attribute, the delegation processing, and the results attribute. The delegation request is a JSON string that contains the required properties and values for the delegation. The JSON string is written to the requests attribute on a deparment's Administrative OU. The delegation processing is comprised of a PowerShell script and the scheduled tasks that run the PowerShell script every hour. The PowerShell script will remove the original JSON string from the requests attributes and write the output from delegation processing as a JSON string to the results attribute on the department's Administrative OU.

Attributes

The attributes used by Delegation Via Attributes are stored on a departemnt's Administrative OU object. For example: "OU=TEST,OU=Departments,OU=Administrative,DC=austin,DC=utexas,DC=edu" would be the Administrative OU for the TEST department.

  • The requests attribute is the utexasEduAustinMulti1 attribute on a department's Administrative OU. Department Owners can read and write to this attribute to submit a delegation request.
  • The results attribute is the utexasEduAustinMulti2 attribute on a department's Administrative OU. Department Owners can read this attribute to review the results of delegation processing.

Delegation Request

Each delegation request is a JSON string that contains the following properties and values:

PropertyValueNotes
TimestampWhen to process the requestMust be a valid time value. Can be set for a future time to scheduled the request.
RequestedByRequired - EID submitting the requestMust EID for reporting and validating against the Department's Owners group.
RequestedForOptional - EID requesting the delegationMay EID for original user who requested the delegation from the owner
ActionAction for the requestMust be one of the following approved verbs: Add, Remove, Repalce, Clear
PrincipalAD group in the delegationMust be an Active Directory security group. Delegation to individual users is not permitted
PathOU targetted by the requestMust be an OU under the Department's OU.
DelegationPermissions for requestMust be one of the standard delegations: <link to delegations page>


Delegation Results

Each delegation result is a JSON string that contains the following properties and values:

PropertyValueNotes
TimestampWhen the request was processedThe time when the script processed the request.
RequestThe original delegation request The original JSON string from the request attribute
SuccessTrue or FalseTrue if the request was processed successfully. False otherwise.
ErrorPresent when Success is FalseContains the reason the request could not be processed as submitted.


Pseudo-code

  1. Query for <object-class> in <container> where:
    1. <action-attribute> is true
    2. <permission-attribute> has a value
    3. <targets-attribute> has a value
  2. For each object found in previous step...
    1. Grant <permission-attribute> delegation on object to each principal in <targets-attribute>
    2. Update <reports-attribute> with "<timestamp>;<add/remove>;<delegation>;<DNs>"
    3. Clear <action-attribute>, <permission-attribute><targets-attribute>
  3. Create scheduled task on ADFS servers to perform query every hour
    1. Run as dedicated GMSA
      1. All permissions actions taken by known account
      2. Password of account managed by domain
    2. Leverage HostCheck
      1. Avoid duplication of work
Expansion options
  • Set <action-attribute> to false to remove a delegation
  • Allow <permission-attribute> to be SDDL
    • SDDL must be checked for prohibited permissions
  • Add Reset as a delegation to reset permissions on an OU
    • Ensure that <DEPT>-Permissions are restored after a reset on a department root.

...