Versions Compared

Version Old Version 11 New Version 12
Changes made by

Alex Barth

Alex Barth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The Delegation Via Attributes process will allow departments to manage delegations in Austin Active Directory objectsvia attributes on an organizational unit (OU). This process is composed of the following parts: a delegation request, the requests attribute, the delegation process, a delegation result, and the results attribute. The delegation request is a JSON string that contains the required properties and values for the delegation. The JSON string is written to the requests attribute on a deparmentdepartment's Administrative OUadministrative OU (see Organizational Units below). The delegation process is an hourly process managed by the Active Directory team that interprets delegation requests. Thedelegation process will remove the original JSON string from the requests attributes on the department's Administrative administrative OU and then attempt to fulfill thedelegation request. The delegation process will then add write the output from the delegation processresult as a JSON string to the results attribute on the department's Administrative administrative OU. Any errors encountered by the delegation process are reported in the delegation result

Organizational Units

The Delegation Via Attributes process interacts with both a department's Department OU and Adminstrative OU. Each department's Department OU is the named OU in the Departments container at the root of the domain (ex. "OU=TEST,OU=Departments,DC=austin,DC=utexas,DC=edu" or "austin.utexas.edu/Departments/TEST") and contains resources managed by the department such as computer and group objects. Each department's Administrative OU is the named OU in the Departments container under the Administrative container at the root of the domain (ex. "OU=TEST,OU=Departments,OU=Administrative,DC=austin,DC=utexas,DC=edu" or "austin.utexas.edu/Administrative/Departments/TEST") contains resources managed by the Department User Tools such as department user accounts and membership in the department administrators group (ex. TEST-Administrators). 

Requests and Results

Each delegation request is a JSON string that must contain the required properties and values. Each delegation result is a JSON string that contains the result of processing the delegation request and the original delegation request along with any error messages that were generated. The following pages detail the properties and any required values of the JSON strings.

Attributes

The values consume and generated by Delegation Via Attributes are stored on a department's Administrative OU object. A department's Administrative OU is contained under the Departments OU in the Administrative OU at the root of the domainFor example: "OU=TEST,OU=Departments,OU=Administrative,DC=austin,DC=utexas,DC=edu" would be the Administrative OU for the TEST department.

  • The requests attribute is the utexasEduAustinMulti1 attribute on a department's Administrative OU. Department Owners can read and write to this attribute to submit a delegation request.
  • The results attribute is the utexasEduAustinMulti2 attribute on a department's Administrative OU. Department Owners can read this attribute to review the results of delegation processing.

Delegation Request

Each delegation request is a JSON string that contains the following properties and values:

...

Yes

...

  • an Active Directory security group.
  • * (asterisk) when Action is Clear.

...

Delegation Results

Each delegation result is a JSON string that contains the following properties and values:

...

  • .