Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The custom Austin Active Directory schema has been extended with the utexasEduAustinAuxClass and utexasEduAzureAuxClass auxiliary classes. These auxiliary classes add additional attributes to existing classes and allow additional information to be stored on objects in the Austin Active Directory. The attribute permission groups need to address multiple items:

  1. Must use "ControlAccess" due to confidential attributes
  2. The standard No Access vs. Read vs. Write
  3. The ability to address record restrictions for future directory services work

Current proposal is AUSTINenable granular access to the attributes with easy-to-read group names.

Permission Group Naming Convention

Each attribute permission group follows the [auxiliary-class-type]-[short-object-type]-[short-attribute-name]-[permission-codelabel]. The "short object type" is the shortened string of the AD object class pattern. The pattern is comprised of the following components:

  • [auxiliary-class-type] - AUSTIN for attributes in the utexasEduAustinAuxClass and AZURE for attributes in the utexasEduAzureAuxClass 

  • [short-object-type] -  the shortened name of the object that the attribute permission group applies to (ex. User,

...

  • Group, Computer,

...

C - Change - User is allowed to read and write the attribute

...

titleChange to Use of the "B" Group

The B group is currently not in use for any attributes. Do not use it at the present time!

...

  • OU)

  • [short-attribute-name] - the shortened name of the attribute that the attribute permission group applies to (ex. Single1, Multi2, Bool3, Time4)

  • [permission-label] - the permission label for the permissions granted to the attribute permission group (see below)

Permission Labels

Label

Code

Rights

Peruse

P

Read permission on the attribute; may be limited by record restrictions

Read

R

Read permission on the attribute

Write

W

Read and write permissions on the attribute

Example attribute permission groups

The current permission codes would result in the following example attribute permission groups:

$ad_write_ace - Boolean containing the state of the script (write the ACE or not)

This variable must be True in order to write the ACE.

...

  • AUSTIN-User-Single11-

    A

    Read - the members are allowed to read the utexasEduAustinSingle11 attribute on users

  • AUSTIN-OU-Multi12-

    C

    Write - the members are allowed to read and write the utexasEduAustinMulti12 attribute on OUs

Record restrictions are handled by placing a deny directly on the user object for the appropriate Access group. Membership in the Access, Bypass, and Change groups must be exclusive to prevent conflicts.

Script for setting the ACEs for access groups.

Note

In order to reduce the size of the ACL, only set an ACE for groups where that access type has been requested.
For example, if there is a request to read an attribute, but no request to write it as well, only set the ACE for the appropriate -A group. Do not set an ACE for the -C group as well if write access is not requested.

...

$ad_container - String containing the FQDN of the container to be updated

For user attributes, this will be "OU=People,DC=austin,DC=utexas,DC=edu" in AUSTIN

...

$ad_group - String containing the name of the attribute group

Example: AUSTIN-User-Single1-A, AUSTIN-User-Single1-B, AUSTIN-User-Single1-C