Versions Compared

Version Old Version 32 New Version 33
Changes made by

Alex Barth

Alex Barth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Summary

The Request By Attribute process (aka REBA) allows a department administrator to request protected actions in the Austin Active Directory by crafting the request as a JSON string then adding the request to an attribute on the department's Administrative programmatically submit a request to the Active Directory team via an attribute on a department's administrative organizational unit (OU) .

Overview

The Request By Attribute process is comprised of the following parts: the request string, the requests attribute, the request script, the request task, the result string, the results attribute.

  • The request string is a JSON string that contains the required properties and values for the request. A department administrator creates the JSON string manually or via a PowerShell script published by the Active Directory team.
  • The requests attribute is a multi-valued attribute on a department's Administrative OU. A department administrator adds the request string to the requests attribute to submit the request. The attribute can contain multiple request strings.
  • The request script is the PowerShell script that processes the requests and performs the requested actions. The request script removes the request string from the requests attribute when processing a request.
  • The request task is the scheduled task that starts the request script every hour. The request task can be run manually by the Active Directory to expedite a request.
  • The result string is a JSON string that contains the results of processing the request along with the original request string. The request process creates the result string and appends any errors encountered during processing to the result string.
  • The results attribute is a multi-valued attribute on a department's Administrative OU. The request process adds the result string to the results attribute to report the outcome of the request to the department.

Organizational Units

The Request By Attribute process is centered around each department's Adminstrative OU. Each department in Active Directory has an Administrative OU that contains the resources managed by the Department User Tools such as department user accounts and the department's Department Adminstrators group.

  • The distinguished name of the Administative OU for the EXAMPLE department would be: OU=EXAMPLE,OU=Departments,OU=Administrative,DC=austin,DC=utexas,DC=edu
  • The name of the Department Administrators group for the EXAMPLE department would be: EXAMPLE-Administrators

Attributes

The Request By Attribute process leverages the requests attribute and results attribute on each department's Administrative OU object. The attributes are confidential and cannot be accessed by default.

  • The requests attribute for a department is the utexasEduAustinMulti1 attribute on the department's Administrative OU. The members of the department's Department Administrators group can read and write the attribute to submit or cancel requests for processing.
  • The results attribute for a department is the utexasEduAustinMulti2 attribute on the department's Administrative OU. The members of the department's Department Administrators group can read the attribute to review the results of any processed requests.

Request Types

The Request By Attribute process is designed to support different types of protected actions. Each protected action is defined as a request type and documented below. The supported requests are available for use and supported by the Active Directory team. The planned requests are in development and will be available at a future time. Departments can submit suggestions for additional request types to the Active Directory team via the UT Service Desk.

Supported requests

The Request By Attribute process currently supports the following request types:

...

object. An automated process will retrieve and evaluate the request and then post the results of the request to a separate attribute on the same administrative OU. This process is intended to reduce the need for department administrators to open tickets with the Active Directory team.

Request Types

REBA is designed to be extensible and can support multiple request types. Each of the supported and planned request types are documented in their respective sections below.  Examples of how to submit each request type and review results are included in the documentation for the respective request type. 

Supported Request Types

The following requests types arecurrently supported by REBA process:

  • Delegation - Department administrators can request changes to permissions on organizational units within a department. This process has previously been available only via a ServiceNow request.
Planned

...

Request Types

The following requests types areexpected to be supported by REBA in the future:

  • DNS - Department administrators can

...

  • manage DNS records associated with the department. This process will be limited to DNS records that begin with a department prefix.

PowerShell Scripts

The Active Directory team maintains a set of PowerShell scripts at has created PowerShell scripts to simplify the process of submitting requests and viewing the results. The scripts can be downloaded from the GitHub repo linked below. Please see the README file in the repo for instructions on running the scripts:

...

The scripts below apply to all request types. See the pages above for the scripts specific to a request type.

  • Get-ADRequests.ps1 - displays any outstanding requests for a department
  • Get-ADResults.ps1 - displays any completed requests for a department
  • Show-ADRequestValues.ps1 - displays the properties and values supported for each request type

Questions

Please contact the Active Directory team via ServiceNow for any questions or assistance with this process.