Versions Compared

Version Old Version 21 New Version 22
Changes made by

Alex Barth

Alex Barth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The Request By Attribute process allows a department administrators administrator to perform request protected actions in the Austin Active Directory by crafting the request as a JSON strings string then writing adding the request to an attribute on department-specific objects. the department's Administrative organizational unit (OU).

Overview

This The Request By Attribute process is comprised of the following parts: a the request string, the requests attribute, the request script, a the result string, and the results attribute. The

  • A request string is a JSON string that contains the required properties and values for the request. A department administrator

...

  • creates the

...

  • JSON string manually or via a PowerShell script published by the Active Directory team.
  • The requests attribute is a multi-valued

...

  • attribute on a department's

...

  • Administrative OU. A department administrator adds the request string to the requests attribute to submit the request. The attribute can contain multiple request strings.
  • The request process is the script

...

  • that processes requests and the scheduled task that runs the script hourly. The request process removes the request string from the requests attribute

...

  • when processing the request.

...

  • A result string is a JSON string that contains the results of processing the request along with the original request string. The request

...

  • process creates the result string

...

  • and appends any errors encountered during processing to the result string.
  • The results attribute is a multi-valued

...

  • attribute on

...

  • a department's

...

  • Administrative OU.

...

  • The request process adds the result string to the results attribute to report the outcome of the request to the department.

Organizational Units

The Request By Attribute process is centered around a each department's Adminstrative OU. Each department's The Administrative OU for a department is the named OU in the Departments container under the Administrative container at the root of the domain (ex. "OU=TESTthat contains the resources managed by the Department User Tools such as department user accounts and the department's Department Adminstrators group.

  • The distinguished name of the Administative OU for the EXAMPLE department would be: OU=EXAMPLE,OU=Departments,OU=Administrative,DC=austin,DC=utexas,DC=edu

...

  • The name of the Department Administrators group for the EXAMPLE department would be: EXAMPLE-Administrators

Attributes

The Request By Attribute process utilizes relies upon the security of the following attributes on a each department's Administrative OU object. The selected attributes are confidential and cannot be accessed by default. Access to the attributes has been granted to the request process and each department's Department Administrators group.

The specific attributes and the permissions granted to the attributes are as follows:

  • The requests attribute is the utexasEduAustinMulti1 attribute on a department's Administrative OU. The associated department's Department Adminstrators can read and write to this attribute to submit a request requests.
  • The results attribute is the utexasEduAustinMulti2 attribute on a department's Administrative OU. The associated department's Department Adminstrators can read this attribute to review the results of request processingany processed requests.

Supported requests

The Request By Attribute process supports the following request types:

  • Delegations - Department administrators can request permission changes to permissions on organizational units within a department. This process has previously been available only via a ServiceNow request.

...