Overview
The Delegation Via Attributes process will allow departments to manage delegations in Request By Attribute process allows department administrators to sumbit requests for restricted actions in the Austin Active Directory via attributes on an organizational unit (OU)specific objects. This process is composed comprised of the following parts: a delegation request JSON, the requests attribute, the delegation process request script, a delegation result JSON, and the results attribute. The delegation request JSON is a JSON string that contains the required properties and values for the delegation. The JSON string is written request. A department administrator will create the request JSON then write the value to the requests attribute on a department's administrative OU (see Organizational Units below). The delegation process is an hourly process managed by the Active Directory team that interprets delegation requests. Thedelegation process will remove the original JSON string request script runs every hour and removes the original request JSON from the requests attributes on the department's administrative OU then attempt attempts to fulfill thedelegation request. The delegation process will then write the delegation result as result JSON is a JSON string that contains the results of the request. The request script writes the result JSON to the results attribute on the department's administrative OU. Any errors encountered by the delegation process are reported included in the delegation result JSON.
Organizational Units
The Delegation Via Attributes Request By Attribute process interacts with both a department's Department OU and Adminstrative OU. Each department's Department OU is the named OU in the Departments container at the root of the domain (ex. "OU=TEST,OU=Departments,DC=austin,DC=utexas,DC=edu" or "austin.utexas.edu/Departments/TEST") and contains resources managed by the department such as computer and group objects. Each department's Administrative OU is the named OU in the Departments container under the Administrative container at the root of the domain (ex. "OU=TEST,OU=Departments,OU=Administrative,DC=austin,DC=utexas,DC=edu" or "austin.utexas.edu/Administrative/Departments/TEST") contains resources managed by the Department User Tools such as department user accounts and membership in the department administrators group (ex. TEST-Administrators).
Supported requests
The Request By Attribute process supports the following request types:
- Delegations - department administrators can request permission changes to organizational units within a department. This is the same process can be manually requested via ServiceNow or programmatically requested by this process.
Requests and Results
Each delegation request is a JSON string that must contain the required properties and values. Each delegation result is a JSON string that contains the result of processing the delegation request and the original delegation request along with any error messages that were generated. The following pages detail the properties and any required values of the JSON strings.
Attributes
The delegation requests and delegation results for a department are stored in attributes on the department's Administrative OU object. The selected attributes are confidential and cannot be accessed by default. The specific attributes and the permissions granted to the attributes are as follows:
...