...
PFA will allow department administrators to use Active Directory attributes to apply permissions to OU objects. Initial implementation is focused on
Parameters
- Define <report-attribute> for results
- utexasEduAustinMultiX
- Define <action-attribute> for query
- utexasEduAustinBool1
- Define <permission-attribute> for query
- utexasEduAustinSingle1
- Value must be one of the existing Delegation values
- Define <target-attribute> for query
- managedBy
- Target of delegation
- Define <object-class> for query
- organizationalUnit
- Define <container> as search base for query
- OU=Departments,<domainDnsRoot>
...
- Query for <object-class> in <container> where:
- <action-attribute> is true
- <permission-attribute> has a value
- <target-attribute> has a value
- For each object found in previous step...
- Grant <permission-attribute> delegation to <target-attribute> principal
- Write <report-attribute> with "<timestamp>;<delegation>;<managedBy>"
- Clear <action-attribute> and <permission-attribute>
- Create scheduled task on ADFS servers to perform query every hour
- Run from ADFS servers
- Run as dedicated GMSA
- All permissions actions taken by known account
- Password of account managed by domain
- Leverage HostCheck
- Avoid duplication of work
- Run as dedicated GMSA
Expansion options
- Set <action-attribute> to false to remove a delegation
- Allow <permission-attribute> to be SDDL for add/remove
- SDDL must be checked for prohibited permissions
- Add Reset as a delegation to reset permissions on an OU
- Ensure that <DEPT>-Permissions are restored after a reset on a department root.
...