Versions Compared

Version Old Version 11 New Version Current
Changes made by

Alex Barth

Alex Barth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning

DRAFT

Overview

The Delegation Via Attributes process will allow departments to manage delegations in Austin Active Directory objects. This process is composed of the following parts: a delegation request, the requests attribute, the delegation process, a delegation result, and the results attribute. The delegation request is a JSON string that contains the required properties and values for the delegation. The JSON string is written to the requests attribute on a deparment's Administrative OU. The delegation process is an hourly process managed by the Active Directory team that interprets delegation requests. The delegation process will remove the original JSON string from the requests attributes on the department's Administrative OU and attempt to fulfill the delegation request. The delegation process will then add the output from the delegation process as a JSON string to the results attribute on the department's Administrative OU. Any errors encountered by the delegation process are reported in the delegation result. 

Attributes

The values consume and generated by Delegation Via Attributes are stored on a department's Administrative OU object. A department's Administrative OU is contained under the Departments OU in the Administrative OU at the root of the domainFor example: "OU=TEST,OU=Departments,OU=Administrative,DC=austin,DC=utexas,DC=edu" would be the Administrative OU for the TEST department.

  • The requests attribute is the utexasEduAustinMulti1 attribute on a department's Administrative OU. Department Owners can read and write to this attribute to submit a delegation request.
  • The results attribute is the utexasEduAustinMulti2 attribute on a department's Administrative OU. Department Owners can read this attribute to review the results of delegation processing.

Delegation Request

Each delegation request is a JSON string that contains the following properties and values:

...

Yes

...

  • an Active Directory security group.
  • * (asterisk) when Action is Clear.

...

Delegation Results

Each delegation result is a JSON string that contains the following properties and values:

...

The Active Directory team has created the Requests By Attribute process (aka REBA) which allows department administrators to programmatically submit specific requests to the Active Directory team via an attribute on a department's administrative organizational unit (OU) object. These requests are processed automatically and are intended to reduce the need for department administrators to open tickets with the Active Directory team.

Process Overview

The requests attribute on a department's administrative OU functions as a queue and holds all pending requests for a department. A scheduled task runs a PowerShell script hourly that evaluates all pending requests in the requests attribute. The PowerShell script will then remove a pending request from the attribute and either perform the requested actions or deny the request. The PowerShell script will then post the results of the request to a separate attribute on the same administrative OU. The results attribute can be reviewed by department administrators to determine if the request was completed or denied. A denied request will include information about why the request was not performed. 

Request Types

REBA is designed to be extensible and can support multiple request types. Each of the supported and planned request types are documented in their respective sections below.  Examples of how to submit each request type and review results are included in the documentation for the respective request type. 

Supported Request Types

The following request types are currently supported by REBA:

  • Requests By Attribute - Delegation - Department administrators can manage permissions on organizational units within a department. This process has previously been available only via a ServiceNow request.

Planned Request Types

The following request types are expected to be supported by REBA in the future:

  • DNS - Department administrators can create and manage DNS records associated with the department. This process will be limited to DNS records that begin with a department prefix.

Submit Requests and Review Results

Submitting requests and reviewing results can be performed using any LDAPv3 compliant tools. The Active Directory team provides support for two methods to manage requests via REBA: the provided PowerShell scripts and the OpenLDAP tools. The Active Directory team provides best-effort support for all other methods.

PowerShell Scripts

The Active Directory team has created the following documentation for submitting requests and reviewing the results with PowerShell scripts:

OpenLDAP tools

The Active Directory team has created the following documentation for submitting requests and reviewing the results with OpenLDAP tools:

Questions

Please contact the Active Directory team via ServiceNow for any questions or assistance with this process.