Versions Compared

Version Old Version 16 New Version Current
Changes made by

Alex Barth

Alex Barth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

The Request The Active Directory team has created the Requests By Attribute process (aka REBA) which allows department administrators to sumbit requests for restricted actions in the Austin programmatically submit specific requests to the Active Directory team via attributes on specific objects. This process is comprised of the following parts: a request JSON, the requests attribute, the request script, a result JSON, and the results attribute. The request JSON is a JSON string that contains the required properties and values for the request. A department administrator will create the request JSON then write the value to the an attribute on a department's administrative organizational unit (OU) object. These requests are processed automatically and are intended to reduce the need for department administrators to open tickets with the Active Directory team.

Process Overview

The requests attribute on a department's administrative OU (see Organizational Units below). The request script runs every hour and removes the original request JSON from the requests attributes on the department's administrative OU then attempts to fulfill therequest. The result JSON is a JSON string that contains the results of the request. The request script writes the result JSON to the results attribute on the department's administrative OU. Any errors encountered by the delegation process are included in the result JSON. 

Organizational Units

The Request By Attribute process interacts with both a department's Department OU and Adminstrative OU. Each department's Department OU is the named OU in the Departments container at the root of the domain (ex. "OU=TEST,OU=Departments,DC=austin,DC=utexas,DC=edu" or "austin.utexas.edu/Departments/TEST") and contains resources managed by the department such as computer and group objects. Each department's Administrative OU is the named OU in the Departments container under the Administrative container at the root of the domain (ex. "OU=TEST,OU=Departments,OU=Administrative,DC=austin,DC=utexas,DC=edu" or "austin.utexas.edu/Administrative/Departments/TEST") contains resources managed by the Department User Tools such as department user accounts and membership in the department administrators group (ex. TEST-Administrators). 

Supported requests

The Request By Attribute process supports the following request types:

...

functions as a queue and holds all pending requests for a department. A scheduled task runs a PowerShell script hourly that evaluates all pending requests in the requests attribute. The PowerShell script will then remove a pending request from the attribute and either perform the requested actions or deny the request. The PowerShell script will then post the results of the request to a separate attribute on the same administrative OU. The results attribute can be reviewed by department administrators to determine if the request was completed or denied. A denied request will include information about why the request was not performed. 

Request Types

REBA is designed to be extensible and can support multiple request types. Each of the supported and planned request types are documented in their respective sections below.  Examples of how to submit each request type and review results are included in the documentation for the respective request type. 

Supported Request Types

The following request types are currently supported by REBA:

...

  • Requests By Attribute - Delegation - Department administrators can manage permissions on organizational units within a department. This

    is the same process can be manually requested via ServiceNow or programmatically requested by this process. 

Planned requests

  • process has previously been available only via a ServiceNow request.

Planned Request Types

The following request types are expected to be supported by REBA in the future:

  • DNS - Department administrators can

    request

    create and manage DNS

    changes for

    records associated with the department. This process will be limited to DNS records that begin with a department prefix.

     

Submit Requests and Review Results

Each request is a JSON string that must contain the required properties and values. Each result is a JSON string that contains the result of processing the request as well asthe original request along with any error messages that were generated. The following pages detail the properties and any required values of the JSON strings.

Attributes

The delegation requests and delegation results for a department are stored in attributes on the department's Administrative OU object. The selected attributes are confidential and cannot be accessed by default. The specific attributes and the permissions granted to the attributes are as follows:

...

Submitting requests and reviewing results can be performed using any LDAPv3 compliant tools. The Active Directory team provides support for two methods to manage requests via REBA: the provided PowerShell scripts and the OpenLDAP tools. The Active Directory team provides best-effort support for all other methods.

PowerShell Scripts

The Active Directory team has created the following documentation for submitting requests and reviewing the results with PowerShell scripts:

OpenLDAP tools

The Active Directory team has created the following documentation for submitting requests and reviewing the results with OpenLDAP tools:

Questions

Please contact the Active Directory team via ServiceNow for any questions or assistance with this process.