Versions Compared

Old Version 8

changes.mady.by.user Alex Barth

Saved on

compared with

New Version 9

changes.mady.by.user Alex Barth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The custom Austin Active Directory schema has been extended with the utexasEduAustinAuxClass and utexasEduAzureAuxClass auxiliary classes. These auxiliary classes add additional attributes to existing classes and allow additional information to be stored on objects in the Austin Active Directory. The attribute permission groups need to address multiple items:

  1. Must use "ControlAccess" due to confidential attributes
  2. The standard No Access vs. Read vs. Write
  3. The ability to address record restrictions for future directory services work

Current proposal is AUSTINenable granular access to the attributes with easy to read group names.

Each attribute permission group follows the [auxiliary-class-type]-[short-object-type]-[short-attribute-name]-[permission-code]. The "short object type" is the shortened string of the AD object class pattern. The pattern is comprised of the following components:

  • [auxiliary-class-type] - AUSTIN for attributes in the utexasEduAustinAuxClass and AZURE for attributes in the utexasEduAzureAuxClass 
  • [short-object-type] -  the shortened name of the object that the attribute permission group applies to (ex. User,

...

  • Group, Computer,

...

C - Change - User is allowed to read and write the attribute

...

titleChange to Use of the "B" Group

The B group is currently not in use for any attributes. Do not use it at the present time!

...

  • OU)
  • [short-attribute-name] - the shortened name of the attribute that the attribute permission group applies to (ex. Single1, Multi2, Bool3, Time4)
  • [permission-code] - the letter of the permission code for the permissions granted to the attribute permission group (see below)

Permission Code

The following are the current permission codes:

CodeLabelRights
AAccessRead permissions on the attribute
BBlockableRead permissions on the attribute; may be limited by record restrictions
CChangeRead and write permissions on the attribute


The following the proposed permission codes:

CodeLabelRights
PPeruseRead permission on the attribute; may be limited by record restrictions
RReadRead permission on the attribute
WWriteRead and write permissions on the attribute


Example attribute permission groups

The current permission codes would result in the following example attribute permission groups:

  • AUSTIN-User-Single11-A - the members are allowed to read the utexasEduAustinSingle11 attribute on users
  • AUSTIN-OU-Multi12-C - the members are allowed to read and write the utexasEduAustinMulti12 attribute on OUs

Record restrictions are handled by placing a deny directly on the user object for the appropriate Access group. Membership in the Access, Bypass, and Change groups must be exclusive to prevent conflicts.

...

Script for assigning permissions to Attribute Permission Groups

Note

In order to reduce the size of the ACL, only set an ACE for groups where that access type has been requested.
For example, if there is a request to read an attribute, but no request to write it as well, only set the ACE for the appropriate -A group. Do not set an ACE for the -C group as well if write access is not requested.

...