Versions Compared

Version Old Version 32 New Version Current
Changes made by

Alex Barth

Alex Barth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Summary

The Request The Active Directory team has created the Requests By Attribute process (aka REBA) which allows a department administrator to request protected actions in the Austin Active Directory by crafting the request as a JSON string then adding the request to administrators to programmatically submit specific requests to the Active Directory team via an attribute on the a department's Administrative administrative organizational unit (OU) .

Overview

The Request By Attribute process is comprised of the following parts: the request string, the requests attribute, the request script, the request task, the result string, the results attribute.

...

object. These requests are processed automatically and are intended to reduce the need for department administrators to open tickets with the Active Directory team.

...

Process Overview

...

Organizational Units

The Request By Attribute process is centered around each department's Adminstrative OU. Each department in Active Directory has an Administrative OU that contains the resources managed by the Department User Tools such as department user accounts and the department's Department Adminstrators group.

  • The distinguished name of the Administative OU for the EXAMPLE department would be: OU=EXAMPLE,OU=Departments,OU=Administrative,DC=austin,DC=utexas,DC=edu
  • The name of the Department Administrators group for the EXAMPLE department would be: EXAMPLE-Administrators

Attributes

The Request By Attribute process leverages the requests attribute and results attribute on each department's Administrative OU object. The attributes are confidential and cannot be accessed by default.

  • The requests attribute for a department is the utexasEduAustinMulti1 attribute on the department's Administrative OU. The members of the department's Department Administrators group can read and write the attribute to submit or cancel requests for processing.
  • The results attribute for a department is the utexasEduAustinMulti2 attribute on the department's Administrative OU. The members of the department's Department Administrators group can read the attribute to review the results of any processed requests.

Request Types

The Request By Attribute process is designed to support different types of protected actions. Each protected action is defined as a request type and documented below. The supported requests are available for use and supported by the Active Directory team. The planned requests are in development and will be available at a future time. Departments can submit suggestions for additional request types to the Active Directory team via the UT Service Desk.

Supported requests

The Request By Attribute process currently supports the following request types:

...

The requests attribute on a department's

...

administrative OU functions as a queue and holds all pending requests for a department. A scheduled task runs a PowerShell script hourly that evaluates all pending requests in the requests attribute. The PowerShell script will then remove a pending request from the attribute and either perform the requested actions or deny the request. The PowerShell script will then post the results of the request to a separate attribute on the same administrative OU. The results attribute can be reviewed by department administrators to determine if the request was completed or denied. A denied request will include information about why the request was not performed. 

Request Types

REBA is designed to be extensible and can support multiple request types. Each of the supported and planned request types are documented in their respective sections below.  Examples of how to submit each request type and review results are included in the documentation for the respective request type. 

Supported Request Types

The following request types are currently supported by REBA:

  • Requests By Attribute - Delegation - Department administrators can manage permissions on organizational units within a department. This process has previously been available only via a ServiceNow request.

Planned

...

Request Types

The following request types are expected to be supported by REBA in the future:

  • DNS - Department administrators can

    request simple changes to

    create and manage DNS records associated with the department. This process will be limited to DNS records that begin with a department prefix.

Scripts

Submit Requests and Review Results

Submitting requests and reviewing results can be performed using any LDAPv3 compliant tools. The Active Directory team maintains a set of PowerShell scripts at https://github.austin.utexas.edu/eis1-aad/RequestsByAttribute to assist department administrators with this process.

The scripts below apply to all request types. See the pages above for the scripts specific to a request type.

...

provides support for two methods to manage requests via REBA: the provided PowerShell scripts and the OpenLDAP tools. The Active Directory team provides best-effort support for all other methods.

PowerShell Scripts

The Active Directory team has created the following documentation for submitting requests and reviewing the results with PowerShell scripts:

OpenLDAP tools

The Active Directory team has created the following documentation for submitting requests and reviewing the results with OpenLDAP tools:

Questions

Please contact the Active Directory team via ServiceNow for any questions or assistance with this process.